Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LisectAVT_2403002B_47.exe

Overview

General Information

Sample name:LisectAVT_2403002B_47.exe
Analysis ID:1481626
MD5:6fd4849beabb6b6d40230e9f4d491d26
SHA1:7811c23f6fef484d9d7bc9dd362a6ff389ad0dcc
SHA256:3ac758c494812836d63fb7016a040ef640dcc9700b7532f85b94f61b86a98bfc
Tags:exe
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
AI detected suspicious sample
Uses known network protocols on non-standard ports
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • LisectAVT_2403002B_47.exe (PID: 7676 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002B_47.exe" MD5: 6FD4849BEABB6B6D40230E9F4D491D26)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Suricata Signatures

Timestamp:2024-07-25T12:03:42.379542+0200
SID:2803304
Source Port:49756
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:55.665206+0200
SID:2803304
Source Port:49736
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:03:13.363342+0200
SID:2803304
Source Port:49744
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:35.602396+0200
SID:2803304
Source Port:49727
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:06.410315+0200
SID:2803304
Source Port:49713
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:10.864022+0200
SID:2803304
Source Port:49715
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:03:11.164909+0200
SID:2803304
Source Port:49743
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:03:40.153800+0200
SID:2803304
Source Port:49755
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:46.598268+0200
SID:2803304
Source Port:49732
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:31.006692+0200
SID:2803304
Source Port:49724
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:08.659882+0200
SID:2803304
Source Port:49714
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:01:54.568914+0200
SID:2022930
Source Port:443
Destination Port:49706
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-07-25T12:03:04.590829+0200
SID:2803304
Source Port:49740
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:44.405064+0200
SID:2803304
Source Port:49731
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:04.091117+0200
SID:2803304
Source Port:49712
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:42.182690+0200
SID:2803304
Source Port:49730
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:03:08.954261+0200
SID:2803304
Source Port:49742
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:15.267526+0200
SID:2803304
Source Port:49717
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:39.968755+0200
SID:2803304
Source Port:49729
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:03:37.915374+0200
SID:2803304
Source Port:49754
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:03:15.594448+0200
SID:2803304
Source Port:49745
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:03:30.948100+0200
SID:2803304
Source Port:49751
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:57.900108+0200
SID:2803304
Source Port:49737
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:21.881014+0200
SID:2803304
Source Port:49720
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:03:20.093095+0200
SID:2803304
Source Port:49747
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:01:59.685523+0200
SID:2803304
Source Port:49710
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:28.801134+0200
SID:2803304
Source Port:49723
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:26.595845+0200
SID:2803304
Source Port:49722
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:01:57.508916+0200
SID:2803304
Source Port:49709
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:03:25.584018+0200
SID:2803304
Source Port:49749
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:17.460034+0200
SID:2803304
Source Port:49718
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:37.794248+0200
SID:2803304
Source Port:49728
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:03:06.783387+0200
SID:2803304
Source Port:49741
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:03:35.649839+0200
SID:2803304
Source Port:49753
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:03:23.345037+0200
SID:2803304
Source Port:49748
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:32.261674+0200
SID:2022930
Source Port:443
Destination Port:49725
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-07-25T12:02:13.065784+0200
SID:2803304
Source Port:49716
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:03:33.184803+0200
SID:2803304
Source Port:49752
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:03:02.367015+0200
SID:2803304
Source Port:49739
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:51.236924+0200
SID:2803304
Source Port:49734
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:03:00.090140+0200
SID:2803304
Source Port:49738
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:01.918936+0200
SID:2803304
Source Port:49711
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:03:17.847675+0200
SID:2803304
Source Port:49746
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:33.372593+0200
SID:2803304
Source Port:49726
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:48.894003+0200
SID:2803304
Source Port:49733
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:24.402149+0200
SID:2803304
Source Port:49721
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:03:28.772076+0200
SID:2803304
Source Port:49750
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:19.678030+0200
SID:2803304
Source Port:49719
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic
Timestamp:2024-07-25T12:02:53.428017+0200
SID:2803304
Source Port:49735
Destination Port:8000
Protocol:TCP
Classtype:Unknown Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002B_47.exeAvira: detected
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: LisectAVT_2403002B_47.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCode function: 0_2_0041001A FindFirstFileExA,0_2_0041001A

Networking

barindex
Uses known network protocols on non-standard ports
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 8000
Source: global trafficTCP traffic: 192.168.2.9:49709 -> 156.254.126.18:8000
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknownTCP traffic detected without corresponding DNS query: 156.254.126.18
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://156.254.126.18:8000/xb-4
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://156.254.126.18:8000/xb-4%
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://156.254.126.18:8000/xb-4C
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://156.254.126.18:8000/xb-4N
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://156.254.126.18:8000/xb-4Y
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://156.254.126.18:8000/xb-4hqos.dll.mui
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://156.254.126.18:8000/xb-4hqos.dll.mui%cA
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://156.254.126.18:8000/xb-4hqos.dll.mui0ct
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://156.254.126.18:8000/xb-4hqos.dll.mui3e
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://156.254.126.18:8000/xb-4hqos.dll.muiE
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://156.254.126.18:8000/xb-4n
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://156.254.126.18:8000/xb-4r
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://156.254.126.18:8000/xb-4wsock.dll.mui
Source: LisectAVT_2403002B_47.exeString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: LisectAVT_2403002B_47.exeString found in binary or memory: http://s2.symcb.com0
Source: LisectAVT_2403002B_47.exeString found in binary or memory: http://www.symauth.com/cps0(
Source: LisectAVT_2403002B_47.exeString found in binary or memory: http://www.symauth.com/rpa00
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCode function: 0_2_0040DEC90_2_0040DEC9
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCode function: 0_2_004047160_2_00404716
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCode function: 0_2_0040D7AF0_2_0040D7AF
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCode function: 0_2_00405FB00_2_00405FB0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCode function: String function: 00405840 appears 31 times
Source: LisectAVT_2403002B_47.exe, 00000000.00000000.1367159618.0000000000429000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFL.exe4 vs LisectAVT_2403002B_47.exe
Source: LisectAVT_2403002B_47.exeBinary or memory string: OriginalFilenameFL.exe4 vs LisectAVT_2403002B_47.exe
Source: LisectAVT_2403002B_47.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engineClassification label: mal56.troj.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCode function: 0_2_004232A4 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,0_2_004232A4
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCommand line argument: NEA0_2_004144A0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
Source: LisectAVT_2403002B_47.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: LisectAVT_2403002B_47.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: LisectAVT_2403002B_47.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: LisectAVT_2403002B_47.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: LisectAVT_2403002B_47.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: LisectAVT_2403002B_47.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: LisectAVT_2403002B_47.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: LisectAVT_2403002B_47.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: LisectAVT_2403002B_47.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: LisectAVT_2403002B_47.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: LisectAVT_2403002B_47.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: LisectAVT_2403002B_47.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCode function: 0_2_00444000 LoadLibraryW,GetProcAddress,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,FreeLibrary,0_2_00444000
Source: LisectAVT_2403002B_47.exeStatic PE information: real checksum: 0x41085 should be: 0x42e46
Source: LisectAVT_2403002B_47.exeStatic PE information: section name: .fixer
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCode function: 0_2_00405886 push ecx; ret 0_2_00405899

Hooking and other Techniques for Hiding and Protection

barindex
Uses known network protocols on non-standard ports
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 8000
Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 8000
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCode function: 0_2_00404716 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00404716
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeAPI coverage: 4.1 %
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe TID: 7680Thread sleep time: -510000s >= -30000sJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCode function: 0_2_0041001A FindFirstFileExA,0_2_0041001A
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeThread delayed: delay time: 30000Jump to behavior
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.0000000000483000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.00000000004B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCode function: 0_2_00409371 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00409371
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCode function: 0_2_00444000 LoadLibraryW,GetProcAddress,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,FreeLibrary,0_2_00444000
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCode function: 0_2_00422BFE mov edx, dword ptr fs:[00000030h]0_2_00422BFE
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCode function: 0_2_0040A60E mov eax, dword ptr fs:[00000030h]0_2_0040A60E
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCode function: 0_2_0040D430 GetProcessHeap,0_2_0040D430
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCode function: 0_2_00409371 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00409371
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCode function: 0_2_00404B27 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00404B27
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCode function: 0_2_004054A9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004054A9
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCode function: 0_2_0040563B SetUnhandledExceptionFilter,0_2_0040563B
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCode function: 0_2_00405690 cpuid 0_2_00405690
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCode function: 0_2_004058A0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_004058A0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCode function: 0_2_0040F84D _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0040F84D
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exeCode function: 0_2_004023B0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_2_004023B0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		11
Virtualization/Sandbox Evasion		OS Credential Dumping2
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Deobfuscate/Decode Files or Information		LSASS Memory21
Security Software Discovery		Remote Desktop ProtocolData from Removable Media11
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Obfuscated Files or Information		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS2
Process Discovery		Distributed Component Object ModelInput Capture1
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
File and Directory Discovery		SSHKeylogging1
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
LisectAVT_2403002B_47.exe100%AviraBDS/Redcap.kouft

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.symauth.com/rpa000%URL Reputationsafe
http://www.symauth.com/cps0(0%URL Reputationsafe
http://156.254.126.18:8000/xb-4N0%Avira URL Cloudsafe
http://156.254.126.18:8000/xb-4hqos.dll.mui0%Avira URL Cloudsafe
http://156.254.126.18:8000/xb-40%Avira URL Cloudsafe
http://156.254.126.18:8000/xb-4hqos.dll.mui3e0%Avira URL Cloudsafe
http://156.254.126.18:8000/xb-4hqos.dll.mui%cA0%Avira URL Cloudsafe
http://156.254.126.18:8000/xb-4hqos.dll.mui0ct0%Avira URL Cloudsafe
http://156.254.126.18:8000/xb-4r0%Avira URL Cloudsafe
http://156.254.126.18:8000/xb-4wsock.dll.mui0%Avira URL Cloudsafe
http://156.254.126.18:8000/xb-4hqos.dll.muiE0%Avira URL Cloudsafe
http://156.254.126.18:8000/xb-4Y0%Avira URL Cloudsafe
http://156.254.126.18:8000/xb-4%0%Avira URL Cloudsafe
http://156.254.126.18:8000/xb-4C0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://156.254.126.18:8000/xb-4false
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://156.254.126.18:8000/xb-4NLisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://156.254.126.18:8000/xb-4hqos.dll.muiLisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://156.254.126.18:8000/xb-4nLisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpfalse
    		unknown
    http://www.symauth.com/rpa00LisectAVT_2403002B_47.exefalse
    • URL Reputation: safe
    		unknown
    http://156.254.126.18:8000/xb-4hqos.dll.mui%cALisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://156.254.126.18:8000/xb-4hqos.dll.mui0ctLisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://156.254.126.18:8000/xb-4hqos.dll.mui3eLisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://156.254.126.18:8000/xb-4hqos.dll.muiELisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://156.254.126.18:8000/xb-4rLisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://156.254.126.18:8000/xb-4wsock.dll.muiLisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://156.254.126.18:8000/xb-4YLisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.symauth.com/cps0(LisectAVT_2403002B_47.exefalse
    • URL Reputation: safe
    		unknown
    http://156.254.126.18:8000/xb-4%LisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://156.254.126.18:8000/xb-4CLisectAVT_2403002B_47.exe, 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_47.exe, 00000000.00000002.2609206989.000000000049B000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    156.254.126.18
    		unknownSeychelles
    		135026THINKDREAM-AS-APThinkDreamTechnologyLimitedHKfalse

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1481626
    Start date and time:2024-07-25 12:00:42 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 4m 6s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:7
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:LisectAVT_2403002B_47.exe
    Detection:MAL
    Classification:mal56.troj.winEXE@1/0@0/1
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 4
    • Number of non-executed functions: 56
    Cookbook Comments:
    • Found application associated with file extension: .exe

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • VT rate limit hit for: LisectAVT_2403002B_47.exe

    Simulations

    Behavior and APIs

    TimeTypeDescription
    06:01:56API Interceptor46x Sleep call for process: LisectAVT_2403002B_47.exe modified

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    156.254.126.18gx.elfGet hashmaliciousChaosBrowse
    • 156.254.126.18:8080/password.txt

    Domains

    No context

    ASNs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    THINKDREAM-AS-APThinkDreamTechnologyLimitedHK4qOdQ3lrYx.elfGet hashmaliciousMiraiBrowse
    • 119.8.28.218
    jhpg1LVUrZ.elfGet hashmaliciousMiraiBrowse
    • 119.8.28.202
    https://link.mail.beehiiv.com/ls/click?upn=u001.AafWW5Nqnbo2z-2BTA50bGEdcgdlKW6veoHg9i0lfVykqgG210mMbY9x6wlCJFem63Ptvb1AhwNnKu2bFWir67u4CZi9kAG27a28kN3PuYedxeUyKmOac6ITo-2BRFaF-2Bd-2Fi2Ixv82DfFvf02BiAI4hE-2B33SFQFo6ls2LdouLvYQ4evOtL64w0kovPYLtYVrx27PXV8C_Brrq8-2Fl00XKb7EalRYiEGmX6heUjj2STeswY-2BsiIt8od5e7wnskh4Flyd2gRfoUQMNxCsUTDSaFM8zPDLSGDGP82i7-2F2T8vItuV5dWHeXDAA5lbmJvOIRHwwHLaZqkTAe-2FUo72xufSnVCNP9jOcjTziRyEgpuuJQJiZBB3fK9Jfw-2BwXqmN7-2Bgu5oQ-2B1xbFghH62g1lHFS1Y4CHHJPc0auTlLsB05ygQ-2FI-2F7sxR9u8jR91M7H-2BbzqUKzs-2BT3ZKLeFEIL3152abEbru7Xm-2FQccrWU8wpYyuMKn02Tn-2B2EMXTmjNNbbalm-2BJ6GnnTdkYphMczl4vx3aqH514BnG-2FxWL6zJOg9p0nIer2lira82L8b5vTqtEzMFFrshInaCk-2FIKuK7IqIBd82nujTq2sahPgOcOQZPE1-2F-2BLJyD2o7TtDkzFXunFRnYrxODO7DLzvTUoA#SZ2JyYWRsZXlAdmNjdW9ubGluZS5uZXQ=&d=DwMFaQGet hashmaliciousHTMLPhisherBrowse
    • 156.227.6.70
    sBgS8t0K7i.elfGet hashmaliciousMiraiBrowse
    • 103.206.123.198
    Qd0pExC2i1.elfGet hashmaliciousMiraiBrowse
    • 103.206.123.186
    HxTjtCwHSe.elfGet hashmaliciousMiraiBrowse
    • 103.206.123.189
    tY2bVScm0v.elfGet hashmaliciousMiraiBrowse
    • 103.114.133.123
    PO34730937398.exeGet hashmaliciousRHADAMANTHYSBrowse
    • 156.227.6.50
    sales contract-876 & New-Order.exeGet hashmaliciousFormBookBrowse
    • 156.227.6.30
    mt103.jsGet hashmaliciousFormBookBrowse
    • 156.227.6.30

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.87364273870965
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:LisectAVT_2403002B_47.exe
    File size:266'752 bytes
    MD5:6fd4849beabb6b6d40230e9f4d491d26
    SHA1:7811c23f6fef484d9d7bc9dd362a6ff389ad0dcc
    SHA256:3ac758c494812836d63fb7016a040ef640dcc9700b7532f85b94f61b86a98bfc
    SHA512:367d544c24a4c0ef40f05bd83181c64adb1d49e9a154b25648900cf604d74893fdc643e5f1de0de0bce0c0f19e802f83be6a9c85423800ffb8c330a2806198e6
    SSDEEP:3072:sp4xw3IkbNoyP6niK6gc31EvtAg0FubKk0Drz8ZcETg3+vhjNZQfGZ7DaTIOYWt7:w4k/oyPZKfAOB0DrAZtj7QfGZ7uOes
    TLSH:2B448E183CD18677D7A239B50CA5DBB5DC6FED7007608BEBA394EB790E242C22523563
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@...!...!...!..c.!..!..c.#.@!..c."..!.......!.......!.......!...YC..!...!...!..@....!..E./..!...!G..!..@....!..Rich.!.........

    File Icon

    Icon Hash:2f3979797939190f

    Static PE Info

    General

    Entrypoint:0x405316
    Entrypoint Section:.text
    Digitally signed:true
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
    Time Stamp:0x5C6FB2CC [Fri Feb 22 08:29:00 2019 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:5
    OS Version Minor:1
    File Version Major:5
    File Version Minor:1
    Subsystem Version Major:5
    Subsystem Version Minor:1
    Import Hash:db8de496dd66110cf35d3e281bf4cecf

    Authenticode Signature

    Signature Valid:
    Signature Issuer:
    Signature Validation Error:
    Error Number:
    Not Before, Not After
      Subject Chain
        Version:
        Thumbprint MD5:
        Thumbprint SHA-1:
        Thumbprint SHA-256:
        Serial:

        Entrypoint Preview

        Instruction
        call 00007FA950D34885h
        jmp 00007FA950D34193h
        push eax
        push dword ptr fs:[00000000h]
        lea eax, dword ptr [esp+0Ch]
        sub esp, dword ptr [esp+0Ch]
        push ebx
        push esi
        push edi
        mov dword ptr [eax], ebp
        mov ebp, eax
        mov eax, dword ptr [00422070h]
        xor eax, ebp
        push eax
        mov dword ptr [ebp-10h], esp
        push dword ptr [ebp-04h]
        mov dword ptr [ebp-04h], FFFFFFFFh
        lea eax, dword ptr [ebp-0Ch]
        mov dword ptr fs:[00000000h], eax
        ret
        jmp dword ptr [0041514Ch]
        int3
        int3
        int3
        mov eax, dword ptr [esp+08h]
        mov ecx, dword ptr [esp+10h]
        or ecx, eax
        mov ecx, dword ptr [esp+0Ch]
        jne 00007FA950D3430Bh
        mov eax, dword ptr [esp+04h]
        mul ecx
        retn 0010h
        push ebx
        mul ecx
        mov ebx, eax
        mov eax, dword ptr [esp+08h]
        mul dword ptr [esp+14h]
        add ebx, eax
        mov eax, dword ptr [esp+08h]
        mul ecx
        add edx, ebx
        pop ebx
        retn 0010h
        int3
        int3
        int3
        int3
        int3
        int3
        int3
        int3
        int3
        int3
        int3
        int3
        push ebx
        push esi
        mov eax, dword ptr [esp+18h]
        or eax, eax
        jne 00007FA950D3431Ah
        mov ecx, dword ptr [esp+14h]
        mov eax, dword ptr [esp+10h]
        xor edx, edx
        div ecx
        mov ebx, eax
        mov eax, dword ptr [esp+0Ch]
        div ecx
        mov edx, ebx
        jmp 00007FA950D34343h
        mov ecx, eax
        mov ebx, dword ptr [esp+14h]
        mov edx, dword ptr [esp+10h]
        mov eax, dword ptr [esp+0Ch]
        shr ecx, 1
        rcr ebx, 1
        shr edx, 1
        rcr eax, 1
        or ecx, ecx
        jne 00007FA950D342F6h
        div ebx

        Rich Headers

        Programming Language:
        • [IMP] VS2008 SP1 build 30729
        • [RES] VS2015 UPD3 build 24213
        • [LNK] VS2015 UPD3.1 build 24215

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x20a180x3c.rdata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x290000x18f75.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x3e0000x17b8.rsrc
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x420000x19a0.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x1f8d00x1c.rdata
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x1f94c0x18.rdata
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1f8f00x40.rdata
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x150000x14c.rdata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x13eca0x1400011bd66c136a0971b16fad0a1a615f10aFalse0.56595458984375data6.65250970718716IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rdata0x150000xc1b60xc2009376d3c48f5711d894cfc4cc970e991bFalse0.4856233891752577data5.512658321404061IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x220000x49cc0x36009c4499e7123eeef0788848a120c133c4False0.8470775462962963DOS executable (block device driver ght (c)7.3991199987904475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .gfids0x270000x1500x20002b5641edb4343181cc0d842b828dfb0False0.43359375data2.3451760582622585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .tls0x280000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .rsrc0x290000x18f750x1900005e6351956f8ef10302bda20bd90cb75False0.747255859375data7.122480667277769IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0x420000x19a00x1a00f8cc0291e51a455217c80f30ddfe173aFalse0.7086838942307693data6.53789180717345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
        .fixer0x440000x10000x10003424e2cbf1f4167b8f7b4789f0e943faFalse0.087158203125data1.3316124420719018IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountryZLIB Complexity
        RT_ICON0x293700x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchBelgium0.6868279569892473
        RT_ICON0x296580x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchBelgium0.7027027027027027
        RT_ICON0x297800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688DutchBelgium0.660181236673774
        RT_ICON0x2a6280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchBelgium0.7906137184115524
        RT_ICON0x2aed00x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchBelgium0.7947976878612717
        RT_ICON0x2b4380xbe87PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedDutchBelgium0.995961045617632
        RT_ICON0x372c00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896DutchBelgium0.4417808219178082
        RT_ICON0x3b4e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600DutchBelgium0.4954356846473029
        RT_ICON0x3da900x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 6720DutchBelgium0.527810650887574
        RT_ICON0x3f4f80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224DutchBelgium0.5874765478424016
        RT_ICON0x405a00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400DutchBelgium0.6610655737704918
        RT_ICON0x40f280x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680DutchBelgium0.7069767441860465
        RT_ICON0x415e00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088DutchBelgium0.7854609929078015
        RT_GROUP_ICON0x41a480xbcdataDutchBelgium0.6542553191489362
        RT_VERSION0x41b040x2e8dataDutchBelgium0.4731182795698925
        RT_MANIFEST0x41dec0x189XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsEnglishUnited States0.6081424936386769

        Imports

        DLLImport
        KERNEL32.dllGetFileAttributesW, GetLastError, CloseHandle, WideCharToMultiByte, LoadLibraryW, GetProcAddress, FreeLibrary, SetCurrentDirectoryW, GetModuleHandleW, FindClose, GetModuleFileNameW, MultiByteToWideChar, GetModuleFileNameA, FlushFileBuffers, SetFilePointerEx, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, EncodePointer, DecodePointer, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetStringTypeW, CompareStringW, LCMapStringW, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, InitializeSListHead, RaiseException, RtlUnwind, LoadLibraryExW, CreateFileW, GetDriveTypeW, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, HeapAlloc, HeapReAlloc, HeapFree, ExitProcess, GetModuleHandleExW, GetStdHandle, WriteFile, GetACP, GetCurrentDirectoryW, GetFullPathNameW, SetStdHandle, GetProcessHeap, GetTimeZoneInformation, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, HeapSize, GetConsoleCP, GetConsoleMode, WriteConsoleW
        ADVAPI32.dllRegQueryValueExW, RegCloseKey, RegOpenKeyExW

        Possible Origin

        Language of compilation systemCountry where language is spokenMap
        DutchBelgium
        EnglishUnited States

        Network Behavior

        Suricata IDS Alerts

        TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
        2024-07-25T12:03:42.379542+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497568000192.168.2.9156.254.126.18
        2024-07-25T12:02:55.665206+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497368000192.168.2.9156.254.126.18
        2024-07-25T12:03:13.363342+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497448000192.168.2.9156.254.126.18
        2024-07-25T12:02:35.602396+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497278000192.168.2.9156.254.126.18
        2024-07-25T12:02:06.410315+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497138000192.168.2.9156.254.126.18
        2024-07-25T12:02:10.864022+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497158000192.168.2.9156.254.126.18
        2024-07-25T12:03:11.164909+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497438000192.168.2.9156.254.126.18
        2024-07-25T12:03:40.153800+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497558000192.168.2.9156.254.126.18
        2024-07-25T12:02:46.598268+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497328000192.168.2.9156.254.126.18
        2024-07-25T12:02:31.006692+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497248000192.168.2.9156.254.126.18
        2024-07-25T12:02:08.659882+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497148000192.168.2.9156.254.126.18
        2024-07-25T12:01:54.568914+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970640.127.169.103192.168.2.9
        2024-07-25T12:03:04.590829+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497408000192.168.2.9156.254.126.18
        2024-07-25T12:02:44.405064+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497318000192.168.2.9156.254.126.18
        2024-07-25T12:02:04.091117+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497128000192.168.2.9156.254.126.18
        2024-07-25T12:02:42.182690+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497308000192.168.2.9156.254.126.18
        2024-07-25T12:03:08.954261+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497428000192.168.2.9156.254.126.18
        2024-07-25T12:02:15.267526+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497178000192.168.2.9156.254.126.18
        2024-07-25T12:02:39.968755+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497298000192.168.2.9156.254.126.18
        2024-07-25T12:03:37.915374+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497548000192.168.2.9156.254.126.18
        2024-07-25T12:03:15.594448+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497458000192.168.2.9156.254.126.18
        2024-07-25T12:03:30.948100+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497518000192.168.2.9156.254.126.18
        2024-07-25T12:02:57.900108+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497378000192.168.2.9156.254.126.18
        2024-07-25T12:02:21.881014+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497208000192.168.2.9156.254.126.18
        2024-07-25T12:03:20.093095+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497478000192.168.2.9156.254.126.18
        2024-07-25T12:01:59.685523+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497108000192.168.2.9156.254.126.18
        2024-07-25T12:02:28.801134+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497238000192.168.2.9156.254.126.18
        2024-07-25T12:02:26.595845+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497228000192.168.2.9156.254.126.18
        2024-07-25T12:01:57.508916+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497098000192.168.2.9156.254.126.18
        2024-07-25T12:03:25.584018+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497498000192.168.2.9156.254.126.18
        2024-07-25T12:02:17.460034+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497188000192.168.2.9156.254.126.18
        2024-07-25T12:02:37.794248+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497288000192.168.2.9156.254.126.18
        2024-07-25T12:03:06.783387+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497418000192.168.2.9156.254.126.18
        2024-07-25T12:03:35.649839+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497538000192.168.2.9156.254.126.18
        2024-07-25T12:03:23.345037+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497488000192.168.2.9156.254.126.18
        2024-07-25T12:02:32.261674+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434972540.127.169.103192.168.2.9
        2024-07-25T12:02:13.065784+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497168000192.168.2.9156.254.126.18
        2024-07-25T12:03:33.184803+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497528000192.168.2.9156.254.126.18
        2024-07-25T12:03:02.367015+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497398000192.168.2.9156.254.126.18
        2024-07-25T12:02:51.236924+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497348000192.168.2.9156.254.126.18
        2024-07-25T12:03:00.090140+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497388000192.168.2.9156.254.126.18
        2024-07-25T12:02:01.918936+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497118000192.168.2.9156.254.126.18
        2024-07-25T12:03:17.847675+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497468000192.168.2.9156.254.126.18
        2024-07-25T12:02:33.372593+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497268000192.168.2.9156.254.126.18
        2024-07-25T12:02:48.894003+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497338000192.168.2.9156.254.126.18
        2024-07-25T12:02:24.402149+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497218000192.168.2.9156.254.126.18
        2024-07-25T12:03:28.772076+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497508000192.168.2.9156.254.126.18
        2024-07-25T12:02:19.678030+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497198000192.168.2.9156.254.126.18
        2024-07-25T12:02:53.428017+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa497358000192.168.2.9156.254.126.18

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        Jul 25, 2024 12:01:55.295332909 CEST497098000192.168.2.9156.254.126.18
        Jul 25, 2024 12:01:55.407391071 CEST800049709156.254.126.18192.168.2.9
        Jul 25, 2024 12:01:55.407485008 CEST497098000192.168.2.9156.254.126.18
        Jul 25, 2024 12:01:55.408195019 CEST497098000192.168.2.9156.254.126.18
        Jul 25, 2024 12:01:55.413803101 CEST800049709156.254.126.18192.168.2.9
        Jul 25, 2024 12:01:57.508661032 CEST800049709156.254.126.18192.168.2.9
        Jul 25, 2024 12:01:57.508915901 CEST497098000192.168.2.9156.254.126.18
        Jul 25, 2024 12:01:57.508954048 CEST497098000192.168.2.9156.254.126.18
        Jul 25, 2024 12:01:57.516258955 CEST800049709156.254.126.18192.168.2.9
        Jul 25, 2024 12:01:57.623272896 CEST497108000192.168.2.9156.254.126.18
        Jul 25, 2024 12:01:57.628135920 CEST800049710156.254.126.18192.168.2.9
        Jul 25, 2024 12:01:57.628415108 CEST497108000192.168.2.9156.254.126.18
        Jul 25, 2024 12:01:57.628415108 CEST497108000192.168.2.9156.254.126.18
        Jul 25, 2024 12:01:57.633270025 CEST800049710156.254.126.18192.168.2.9
        Jul 25, 2024 12:01:59.685451984 CEST800049710156.254.126.18192.168.2.9
        Jul 25, 2024 12:01:59.685523033 CEST497108000192.168.2.9156.254.126.18
        Jul 25, 2024 12:01:59.685621977 CEST497108000192.168.2.9156.254.126.18
        Jul 25, 2024 12:01:59.691828966 CEST800049710156.254.126.18192.168.2.9
        Jul 25, 2024 12:01:59.795315981 CEST497118000192.168.2.9156.254.126.18
        Jul 25, 2024 12:01:59.801959038 CEST800049711156.254.126.18192.168.2.9
        Jul 25, 2024 12:01:59.802042007 CEST497118000192.168.2.9156.254.126.18
        Jul 25, 2024 12:01:59.802198887 CEST497118000192.168.2.9156.254.126.18
        Jul 25, 2024 12:01:59.811871052 CEST800049711156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:01.918859959 CEST800049711156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:01.918936014 CEST497118000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:01.921540976 CEST497118000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:01.930588961 CEST800049711156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:02.030766010 CEST497128000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:02.035836935 CEST800049712156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:02.035959959 CEST497128000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:02.037522078 CEST497128000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:02.042505026 CEST800049712156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:04.091044903 CEST800049712156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:04.091116905 CEST497128000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:04.091195107 CEST497128000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:04.096086025 CEST800049712156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:04.295973063 CEST497138000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:04.301058054 CEST800049713156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:04.302208900 CEST497138000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:04.329454899 CEST497138000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:04.335474968 CEST800049713156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:06.408688068 CEST800049713156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:06.410315037 CEST497138000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:06.414413929 CEST497138000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:06.420337915 CEST800049713156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:06.513108015 CEST497148000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:06.521176100 CEST800049714156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:06.522177935 CEST497148000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:06.522303104 CEST497148000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:06.529479980 CEST800049714156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:08.659785986 CEST800049714156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:08.659882069 CEST497148000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:08.659960032 CEST497148000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:08.665798903 CEST800049714156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:08.763314962 CEST497158000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:08.768318892 CEST800049715156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:08.772022009 CEST497158000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:08.772116899 CEST497158000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:08.777545929 CEST800049715156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:10.863096952 CEST800049715156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:10.864022017 CEST497158000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:10.864089966 CEST497158000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:10.869023085 CEST800049715156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:10.966310024 CEST497168000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:10.972187996 CEST800049716156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:10.972269058 CEST497168000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:10.972362041 CEST497168000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:10.978074074 CEST800049716156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:13.065694094 CEST800049716156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:13.065783978 CEST497168000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:13.065882921 CEST497168000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:13.072058916 CEST800049716156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:13.169378042 CEST497178000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:13.174402952 CEST800049717156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:13.174499989 CEST497178000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:13.174595118 CEST497178000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:13.179367065 CEST800049717156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:15.267426968 CEST800049717156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:15.267525911 CEST497178000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:15.267657995 CEST497178000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:15.272391081 CEST800049717156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:15.372442961 CEST497188000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:15.377394915 CEST800049718156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:15.377487898 CEST497188000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:15.377597094 CEST497188000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:15.382380962 CEST800049718156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:17.459636927 CEST800049718156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:17.460033894 CEST497188000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:17.460119009 CEST497188000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:17.465826035 CEST800049718156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:17.575836897 CEST497198000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:17.580792904 CEST800049719156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:17.580868006 CEST497198000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:17.580965996 CEST497198000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:17.585757971 CEST800049719156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:19.677957058 CEST800049719156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:19.678030014 CEST497198000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:19.678119898 CEST497198000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:19.682985067 CEST800049719156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:19.795512915 CEST497208000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:19.800457001 CEST800049720156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:19.800535917 CEST497208000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:19.800687075 CEST497208000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:19.806797981 CEST800049720156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:21.880868912 CEST800049720156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:21.881014109 CEST497208000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:21.881109953 CEST497208000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:21.887126923 CEST800049720156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:21.997798920 CEST497218000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:22.004205942 CEST800049721156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:22.004282951 CEST497218000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:22.004456997 CEST497218000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:22.009438038 CEST800049721156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:24.402076960 CEST800049721156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:24.402148962 CEST497218000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:24.402230978 CEST497218000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:24.403048992 CEST800049721156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:24.403104067 CEST497218000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:24.407155991 CEST800049721156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:24.513187885 CEST497228000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:24.518028975 CEST800049722156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:24.518127918 CEST497228000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:24.518286943 CEST497228000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:24.523335934 CEST800049722156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:26.595624924 CEST800049722156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:26.595844984 CEST497228000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:26.595973969 CEST497228000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:26.601310968 CEST800049722156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:26.702238083 CEST497238000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:26.707297087 CEST800049723156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:26.710386038 CEST497238000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:26.714775085 CEST497238000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:26.724065065 CEST800049723156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:28.801064014 CEST800049723156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:28.801134109 CEST497238000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:28.801211119 CEST497238000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:28.806266069 CEST800049723156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:28.903722048 CEST497248000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:28.909568071 CEST800049724156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:28.909640074 CEST497248000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:28.909766912 CEST497248000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:28.915194035 CEST800049724156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:31.006608963 CEST800049724156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:31.006691933 CEST497248000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:31.006786108 CEST497248000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:31.012038946 CEST800049724156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:31.122724056 CEST497268000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:31.127573967 CEST800049726156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:31.127716064 CEST497268000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:31.128010035 CEST497268000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:31.133240938 CEST800049726156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:33.372514963 CEST800049726156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:33.372592926 CEST497268000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:33.372678041 CEST497268000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:33.377470016 CEST800049726156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:33.481862068 CEST497278000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:33.487298965 CEST800049727156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:33.487380028 CEST497278000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:33.487469912 CEST497278000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:33.493576050 CEST800049727156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:35.602305889 CEST800049727156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:35.602396011 CEST497278000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:35.602477074 CEST497278000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:35.609082937 CEST800049727156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:35.716222048 CEST497288000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:35.721127987 CEST800049728156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:35.721251965 CEST497288000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:35.721335888 CEST497288000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:35.728621960 CEST800049728156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:37.793828011 CEST800049728156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:37.794248104 CEST497288000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:37.794390917 CEST497288000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:37.799237013 CEST800049728156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:37.904468060 CEST497298000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:37.909661055 CEST800049729156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:37.909789085 CEST497298000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:37.909920931 CEST497298000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:37.914777040 CEST800049729156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:39.968625069 CEST800049729156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:39.968755007 CEST497298000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:39.968878984 CEST497298000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:39.977888107 CEST800049729156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:40.076359034 CEST497308000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:40.081649065 CEST800049730156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:40.081726074 CEST497308000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:40.081923008 CEST497308000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:40.086806059 CEST800049730156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:42.182616949 CEST800049730156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:42.182689905 CEST497308000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:42.182807922 CEST497308000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:42.187711000 CEST800049730156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:42.296365976 CEST497318000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:42.302310944 CEST800049731156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:42.302392006 CEST497318000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:42.302661896 CEST497318000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:42.310839891 CEST800049731156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:44.405003071 CEST800049731156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:44.405064106 CEST497318000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:44.405148983 CEST497318000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:44.410254002 CEST800049731156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:44.513472080 CEST497328000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:44.518313885 CEST800049732156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:44.518378973 CEST497328000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:44.518527985 CEST497328000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:44.523313046 CEST800049732156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:46.598182917 CEST800049732156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:46.598268032 CEST497328000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:46.693420887 CEST497328000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:46.698580027 CEST800049732156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:46.810259104 CEST497338000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:46.815489054 CEST800049733156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:46.815574884 CEST497338000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:46.815705061 CEST497338000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:46.820938110 CEST800049733156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:48.893023968 CEST800049733156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:48.894002914 CEST497338000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:48.894260883 CEST497338000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:48.900898933 CEST800049733156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:49.000257015 CEST497348000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:49.006674051 CEST800049734156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:49.006813049 CEST497348000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:49.006973982 CEST497348000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:49.012989044 CEST800049734156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:51.236825943 CEST800049734156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:51.236923933 CEST497348000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:51.237070084 CEST497348000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:51.245934010 CEST800049734156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:51.341891050 CEST497358000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:51.348189116 CEST800049735156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:51.348283052 CEST497358000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:51.348447084 CEST497358000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:51.353229046 CEST800049735156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:53.427946091 CEST800049735156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:53.428016901 CEST497358000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:53.428092003 CEST497358000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:53.432913065 CEST800049735156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:53.544872999 CEST497368000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:53.551733971 CEST800049736156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:53.552064896 CEST497368000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:53.552184105 CEST497368000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:53.557861090 CEST800049736156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:55.664983034 CEST800049736156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:55.665205956 CEST497368000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:55.665205956 CEST497368000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:55.672450066 CEST800049736156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:55.779455900 CEST497378000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:55.788603067 CEST800049737156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:55.792118073 CEST497378000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:55.792301893 CEST497378000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:55.800137997 CEST800049737156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:57.899722099 CEST800049737156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:57.900108099 CEST497378000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:57.900207996 CEST497378000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:57.907618999 CEST800049737156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:58.014352083 CEST497388000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:58.019654036 CEST800049738156.254.126.18192.168.2.9
        Jul 25, 2024 12:02:58.022502899 CEST497388000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:58.022619963 CEST497388000192.168.2.9156.254.126.18
        Jul 25, 2024 12:02:58.027546883 CEST800049738156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:00.089936972 CEST800049738156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:00.090140104 CEST497388000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:00.090949059 CEST497388000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:00.097381115 CEST800049738156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:00.201025009 CEST497398000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:00.206950903 CEST800049739156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:00.207041025 CEST497398000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:00.207204103 CEST497398000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:00.213037014 CEST800049739156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:02.366899967 CEST800049739156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:02.367014885 CEST497398000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:02.367127895 CEST497398000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:02.372181892 CEST800049739156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:02.482456923 CEST497408000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:02.491375923 CEST800049740156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:02.491476059 CEST497408000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:02.491619110 CEST497408000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:02.497694016 CEST800049740156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:04.590748072 CEST800049740156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:04.590828896 CEST497408000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:04.590935946 CEST497408000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:04.598432064 CEST800049740156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:04.700794935 CEST497418000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:04.705857038 CEST800049741156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:04.707921028 CEST497418000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:04.708014965 CEST497418000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:04.713623047 CEST800049741156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:06.783281088 CEST800049741156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:06.783386946 CEST497418000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:06.783549070 CEST497418000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:06.788785934 CEST800049741156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:06.888816118 CEST497428000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:06.893915892 CEST800049742156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:06.894016027 CEST497428000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:06.894273996 CEST497428000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:06.899847031 CEST800049742156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:08.952902079 CEST800049742156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:08.954261065 CEST497428000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:08.954301119 CEST497428000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:08.960329056 CEST800049742156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:09.060199022 CEST497438000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:09.065123081 CEST800049743156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:09.065201998 CEST497438000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:09.065340042 CEST497438000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:09.070442915 CEST800049743156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:11.164839029 CEST800049743156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:11.164908886 CEST497438000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:11.165000916 CEST497438000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:11.169764042 CEST800049743156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:11.279400110 CEST497448000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:11.284287930 CEST800049744156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:11.284363031 CEST497448000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:11.284531116 CEST497448000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:11.289956093 CEST800049744156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:13.363177061 CEST800049744156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:13.363342047 CEST497448000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:13.363446951 CEST497448000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:13.368973970 CEST800049744156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:13.478982925 CEST497458000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:13.485285044 CEST800049745156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:13.485374928 CEST497458000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:13.485512018 CEST497458000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:13.491647959 CEST800049745156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:15.594381094 CEST800049745156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:15.594448090 CEST497458000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:15.594558001 CEST497458000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:15.601006031 CEST800049745156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:15.717026949 CEST497468000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:15.722685099 CEST800049746156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:15.722781897 CEST497468000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:15.723022938 CEST497468000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:15.727858067 CEST800049746156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:17.847542048 CEST800049746156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:17.847675085 CEST497468000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:17.847803116 CEST497468000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:17.852642059 CEST800049746156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:17.951277018 CEST497478000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:17.960135937 CEST800049747156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:17.960218906 CEST497478000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:17.960462093 CEST497478000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:17.965408087 CEST800049747156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:20.093008995 CEST800049747156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:20.093095064 CEST497478000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:20.093261957 CEST497478000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:20.104856968 CEST800049747156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:20.201082945 CEST497488000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:20.206763029 CEST800049748156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:20.206882000 CEST497488000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:20.207042933 CEST497488000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:20.211819887 CEST800049748156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:23.344923019 CEST800049748156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:23.345036983 CEST497488000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:23.345395088 CEST497488000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:23.345921993 CEST800049748156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:23.345979929 CEST497488000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:23.346508026 CEST800049748156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:23.346563101 CEST497488000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:23.348095894 CEST800049748156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:23.348154068 CEST497488000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:23.354948044 CEST800049748156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:23.451111078 CEST497498000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:23.482373953 CEST800049749156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:23.482460976 CEST497498000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:23.482762098 CEST497498000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:23.496563911 CEST800049749156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:25.583885908 CEST800049749156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:25.584017992 CEST497498000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:25.605098009 CEST497498000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:25.610500097 CEST800049749156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:25.718399048 CEST497508000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:25.726746082 CEST800049750156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:25.726830006 CEST497508000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:25.727113962 CEST497508000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:25.733628035 CEST800049750156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:28.771929026 CEST800049750156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:28.772075891 CEST497508000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:28.772325039 CEST497508000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:28.772423029 CEST800049750156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:28.772509098 CEST497508000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:28.772814035 CEST800049750156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:28.772911072 CEST497508000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:28.775636911 CEST800049750156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:28.775716066 CEST497508000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:28.781723022 CEST800049750156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:28.893076897 CEST497518000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:28.898241043 CEST800049751156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:28.898533106 CEST497518000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:28.898824930 CEST497518000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:28.908090115 CEST800049751156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:30.945557117 CEST800049751156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:30.948100090 CEST497518000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:30.948251009 CEST497518000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:30.953046083 CEST800049751156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:31.060338020 CEST497528000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:31.067792892 CEST800049752156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:31.067912102 CEST497528000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:31.068052053 CEST497528000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:31.073056936 CEST800049752156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:33.184726000 CEST800049752156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:33.184803009 CEST497528000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:33.184926033 CEST497528000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:33.208080053 CEST800049752156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:33.294831991 CEST497538000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:33.549371004 CEST800049753156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:33.549608946 CEST497538000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:33.549717903 CEST497538000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:33.555243015 CEST800049753156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:35.649565935 CEST800049753156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:35.649838924 CEST497538000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:35.649887085 CEST497538000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:35.655437946 CEST800049753156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:35.763540030 CEST497548000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:35.768712997 CEST800049754156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:35.768919945 CEST497548000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:35.768996000 CEST497548000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:35.774161100 CEST800049754156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:37.915254116 CEST800049754156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:37.915374041 CEST497548000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:37.915461063 CEST497548000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:37.920356035 CEST800049754156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:38.029064894 CEST497558000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:38.035960913 CEST800049755156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:38.036035061 CEST497558000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:38.036173105 CEST497558000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:38.041043997 CEST800049755156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:40.153727055 CEST800049755156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:40.153800011 CEST497558000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:40.153906107 CEST497558000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:40.158732891 CEST800049755156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:40.263998985 CEST497568000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:40.269323111 CEST800049756156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:40.269421101 CEST497568000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:40.269742966 CEST497568000192.168.2.9156.254.126.18
        Jul 25, 2024 12:03:40.274918079 CEST800049756156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:42.379410982 CEST800049756156.254.126.18192.168.2.9
        Jul 25, 2024 12:03:42.379542112 CEST497568000192.168.2.9156.254.126.18

        HTTP Request Dependency Graph

        • 156.254.126.18:8000

        HTTP Packets

        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        0192.168.2.949709156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:01:55.408195019 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        1192.168.2.949710156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:01:57.628415108 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        2192.168.2.949711156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:01:59.802198887 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        3192.168.2.949712156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:02.037522078 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        4192.168.2.949713156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:04.329454899 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        5192.168.2.949714156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:06.522303104 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        6192.168.2.949715156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:08.772116899 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        7192.168.2.949716156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:10.972362041 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        8192.168.2.949717156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:13.174595118 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        9192.168.2.949718156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:15.377597094 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        10192.168.2.949719156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:17.580965996 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        11192.168.2.949720156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:19.800687075 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        12192.168.2.949721156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:22.004456997 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        13192.168.2.949722156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:24.518286943 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        14192.168.2.949723156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:26.714775085 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        15192.168.2.949724156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:28.909766912 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        16192.168.2.949726156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:31.128010035 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        17192.168.2.949727156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:33.487469912 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        18192.168.2.949728156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:35.721335888 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        19192.168.2.949729156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:37.909920931 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        20192.168.2.949730156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:40.081923008 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        21192.168.2.949731156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:42.302661896 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        22192.168.2.949732156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:44.518527985 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        23192.168.2.949733156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:46.815705061 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        24192.168.2.949734156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:49.006973982 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        25192.168.2.949735156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:51.348447084 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        26192.168.2.949736156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:53.552184105 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        27192.168.2.949737156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:55.792301893 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        28192.168.2.949738156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:02:58.022619963 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        29192.168.2.949739156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:03:00.207204103 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        30192.168.2.949740156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:03:02.491619110 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        31192.168.2.949741156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:03:04.708014965 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        32192.168.2.949742156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:03:06.894273996 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        33192.168.2.949743156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:03:09.065340042 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        34192.168.2.949744156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:03:11.284531116 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        35192.168.2.949745156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:03:13.485512018 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        36192.168.2.949746156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:03:15.723022938 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        37192.168.2.949747156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:03:17.960462093 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        38192.168.2.949748156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:03:20.207042933 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        39192.168.2.949749156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:03:23.482762098 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        40192.168.2.949750156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:03:25.727113962 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        41192.168.2.949751156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:03:28.898824930 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        42192.168.2.949752156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:03:31.068052053 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        43192.168.2.949753156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:03:33.549717903 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        44192.168.2.949754156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:03:35.768996000 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        45192.168.2.949755156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:03:38.036173105 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        46192.168.2.949756156.254.126.1880007676C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        TimestampBytes transferredDirectionData
        Jul 25, 2024 12:03:40.269742966 CEST74OUTGET /xb-4 HTTP/1.1
        Host: 156.254.126.18:8000
        Cache-Control: no-cache


        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:06:01:35
        Start date:25/07/2024
        Path:C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
        Wow64 process (32bit):true
        Commandline:"C:\Users\user\Desktop\LisectAVT_2403002B_47.exe"
        Imagebase:0x400000
        File size:266'752 bytes
        MD5 hash:6FD4849BEABB6B6D40230E9F4D491D26
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:false

        Disassembly

        Reset < >

          Execution Graph

          Execution Coverage:2%
          Dynamic/Decrypted Code Coverage:0%
          Signature Coverage:46.4%
          Total number of Nodes:28
          Total number of Limit Nodes:3
          execution_graph 10251 422b33 10254 4236a9 10251->10254 10253 422b3e 10255 4236d5 10254->10255 10256 4236ce 10254->10256 10268 422bfe 10255->10268 10256->10253 10258 4236de 10258->10256 10275 4232a4 CreateToolhelp32Snapshot 10258->10275 10261 4232a4 4 API calls 10262 423896 10261->10262 10263 4238bd Sleep 10262->10263 10266 4238d0 10262->10266 10264 4232a4 4 API calls 10263->10264 10264->10262 10266->10256 10267 4238d2 Sleep 10266->10267 10282 4235b9 InternetOpenA 10266->10282 10267->10266 10269 422c14 GetPEB 10268->10269 10274 422c0d 10268->10274 10270 422c28 10269->10270 10271 422ed8 LoadLibraryA 10270->10271 10270->10274 10272 422f0a 10271->10272 10271->10274 10273 42311b LoadLibraryA 10272->10273 10272->10274 10273->10274 10274->10258 10276 4232c5 Process32FirstW 10275->10276 10278 423551 Sleep 10275->10278 10280 4232e4 10276->10280 10281 4232de FindCloseChangeNotification 10276->10281 10278->10261 10279 423536 Process32NextW 10279->10280 10279->10281 10280->10278 10280->10279 10281->10278 10283 4235fa InternetOpenUrlA 10282->10283 10284 423614 10282->10284 10283->10284 10284->10266

          Executed Functions

          Function 004232A4 Relevance: 23.0, APIs: 4, Strings: 9, Instructions: 205processCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 004232B4
          • Process32FirstW.KERNEL32(00000000,?), ref: 004232D7
          • FindCloseChangeNotification.KERNELBASE(?), ref: 0042354E
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: ChangeCloseCreateFindFirstNotificationProcess32SnapshotToolhelp32
          • String ID: C$M$Q360Saf$a$l$n$o$s$s
          • API String ID: 692674288-2495611964
          • Opcode ID: 3a7e114790ac83807ee783d4973c5ba35863f74a632842655462cc972086b0dd
          • Instruction ID: ea301f65fb63b90236c93c6f34219e0de73ff33be3de113c62dd973678eed83a
          • Opcode Fuzzy Hash: 3a7e114790ac83807ee783d4973c5ba35863f74a632842655462cc972086b0dd
          • Instruction Fuzzy Hash: A681A630A0C36CAAEB219B24DC557EAA7B8EF44744F0054DDD14C972D1E6BA6FC48F19
          Function 00422BFE Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 328COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 30 422bfe-422c0b 31 422c14-422c25 GetPEB 30->31 32 422c0d-422c0f 30->32 34 422c28-422c34 31->34 33 4232a0-4232a3 32->33 34->34 35 422c36-422c3f 34->35 35->32 36 422c41-422c7a call 422b41 35->36 36->32 39 422c7c-422cb5 call 422b41 36->39 39->32 42 422cbb-422ceb call 422b41 39->42 42->32 45 422cf1-422d17 call 422b41 42->45 45->32 48 422d1d-422d4d call 422b41 45->48 48->32 51 422d53-422d80 call 422b41 48->51 51->32 54 422d86-422dac call 422b41 51->54 54->32 57 422db2-422de9 call 422b41 54->57 57->32 60 422def-422e15 call 422b41 57->60 60->32 63 422e1b-422e4b call 422b41 60->63 63->32 66 422e51-422e95 call 422b41 63->66 66->32 69 422e9b-422ed2 call 422b41 66->69 69->32 72 422ed8-422f04 LoadLibraryA 69->72 72->32 73 422f0a-422f44 call 422b41 72->73 73->32 76 422f4a-422f84 call 422b41 73->76 76->32 79 422f8a-422fad call 422b41 76->79 79->32 82 422fb3-422fe0 call 422b41 79->82 82->32 85 422fe6-423016 call 422b41 82->85 85->32 88 42301c-423073 call 422b41 85->88 88->32 91 423079-4230b3 call 422b41 88->91 91->32 94 4230b9-4230df call 422b41 91->94 94->32 97 4230e5-423115 call 422b41 94->97 97->32 100 42311b-423147 LoadLibraryA 97->100 100->32 101 42314d-42317e call 422b41 100->101 101->32 104 423184-4231c5 call 422b41 101->104 104->32 107 4231cb-423205 call 422b41 104->107 107->32 110 42320b-423260 call 422b41 107->110 110->32 113 423266-42329e call 422b41 110->113 113->33
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID:
          • String ID: LoadLibraryA$Mess$eadP$roce$ssId
          • API String ID: 0-735157309
          • Opcode ID: b36e120d0833b7731a54506a0c70d5ba7736ed5fbba49d6459cd0983861c9288
          • Instruction ID: b586430f75ab145293ba667e9a8f67668a4fff5002a76f18b79429bede9ffe87
          • Opcode Fuzzy Hash: b36e120d0833b7731a54506a0c70d5ba7736ed5fbba49d6459cd0983861c9288
          • Instruction Fuzzy Hash: 92F12FB1D0422A9BDB61CF56DA81BD9BBB4BF24300F5081DA958CE6245DBB4DBC0CF58
          Function 004236A9 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 125sleepCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 116 4236a9-4236cc 117 4236d5-4236e0 call 422bfe 116->117 118 4236ce-4236d0 116->118 117->118 122 4236e2-4236ee 117->122 119 42391a-423920 118->119 122->122 123 4236f0 122->123 124 4236f2-4236f6 123->124 125 4236f8-423898 call 4232a4 Sleep call 4232a4 123->125 124->122 124->125 130 4238bd-4238ce Sleep call 4232a4 125->130 133 4238d0 130->133 134 42389a-4238b8 130->134 135 4238db-4238f2 call 4235b9 133->135 134->130 140 4238d2-4238d7 Sleep 135->140 141 4238f4-423911 call 42355c call 423da0 135->141 140->135 146 423913 141->146 147 423918 141->147 146->147 147->119
          APIs
          • Sleep.KERNELBASE(000007D0), ref: 0042388B
          • Sleep.KERNELBASE(000007D0), ref: 004238BD
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: Sleep
          • String ID: 0$0$6$ck(W$hQkS
          • API String ID: 3472027048-2213254173
          • Opcode ID: 2c66a0ee2386820558b81d1253ee446268f83519f76bd6f3ac3aa14a6fcf5d4c
          • Instruction ID: b063393dda38bf1b8e8c1fc40eaeb6db28000a4d690f90c6b281b0b53222eae8
          • Opcode Fuzzy Hash: 2c66a0ee2386820558b81d1253ee446268f83519f76bd6f3ac3aa14a6fcf5d4c
          • Instruction Fuzzy Hash: 205143B1509391DFD3309F15A845B8FBBF8FF80705F50891EE5989A240DB788606CBAB
          Function 004235B9 Relevance: 3.1, APIs: 2, Instructions: 93networkCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 148 4235b9-4235f4 InternetOpenA 149 4236a2-4236a8 148->149 150 4235fa-42360e InternetOpenUrlA 148->150 151 423614-423634 150->151 152 42369c 150->152 154 423696 151->154 155 423636-423640 151->155 152->149 154->152 155->154 157 423642-423648 155->157 158 42364a-42365a 157->158 159 42365f-423675 157->159 162 423685-42368b 158->162 163 42365c 158->163 159->162 164 423677-42367c 159->164 167 42368e-423694 162->167 163->159 164->162 165 42367e 164->165 166 423680-423683 165->166 165->167 166->157 167->154
          APIs
          • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004235EC
          • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 00423606
          Memory Dump Source
          • Source File: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: InternetOpen
          • String ID:
          • API String ID: 2038078732-0
          • Opcode ID: 77c53ca93e236c562defaffb78af67adc030127ede9e7ff349b1119ef9f3d8a5
          • Instruction ID: 7a828d8358b6daa98ad7c03c44e6977a739d63b350b14f336fab54bd7487e73a
          • Opcode Fuzzy Hash: 77c53ca93e236c562defaffb78af67adc030127ede9e7ff349b1119ef9f3d8a5
          • Instruction Fuzzy Hash: 4231D8B1E00219FFDB20DF95CD88AAEBBB9FF08305F504469E546E2250D7789E449B24

          Non-executed Functions

          Function 00444000 Relevance: 30.2, APIs: 20, Instructions: 200libraryloaderCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          • LoadLibraryW.KERNEL32(00441E00), ref: 00444019
          • GetProcAddress.KERNEL32(00000000,646F636E), ref: 00444025
          • GetCurrentProcess.KERNEL32(?,00441E2D,00000004,00000000), ref: 0044403E
          • GetCurrentProcess.KERNEL32(?,00441E31,00000002,00000000,?,00441E2D,00000004,00000000), ref: 00444057
          • GetCurrentProcess.KERNEL32(?,00441E33,00000003,00000000,?,00441E31,00000002,00000000,?,00441E2D,00000004,00000000), ref: 00444070
          • GetCurrentProcess.KERNEL32(?,00441E36,00000005,00000000,?,00441E33,00000003,00000000,?,00441E31,00000002,00000000,?,00441E2D,00000004,00000000), ref: 00444089
          • GetCurrentProcess.KERNEL32(?,00441E3B,0000000B,00000000,?,00441E36,00000005,00000000,?,00441E33,00000003,00000000,?,00441E31,00000002,00000000), ref: 004440A2
          • GetCurrentProcess.KERNEL32(?,00441E46,00000006,00000000,?,00441E3B,0000000B,00000000,?,00441E36,00000005,00000000,?,00441E33,00000003,00000000), ref: 004440BB
          • GetCurrentProcess.KERNEL32(?,00441E4C,00000007,00000000,?,00441E46,00000006,00000000,?,00441E3B,0000000B,00000000,?,00441E36,00000005,00000000), ref: 004440D4
          • GetCurrentProcess.KERNEL32(?,00441E53,00000001,00000000,?,00441E4C,00000007,00000000,?,00441E46,00000006,00000000,?,00441E3B,0000000B,00000000), ref: 004440ED
          Memory Dump Source
          • Source File: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: CurrentProcess$AddressLibraryLoadProc
          • String ID:
          • API String ID: 3180543935-0
          • Opcode ID: bf3e07137b0beb4a52e0053cdb9eb43d7be91cec0d8cae02cce42a71bbe23a88
          • Instruction ID: e5d195f8fff31ccf77d7fe84f9012ba492b6e0f0acfd17ef9f710123e8bfc7af
          • Opcode Fuzzy Hash: bf3e07137b0beb4a52e0053cdb9eb43d7be91cec0d8cae02cce42a71bbe23a88
          • Instruction Fuzzy Hash: 09513CB2650709BFE640ABF8DC4DFD63A9CEB4C745F404431B30CD6280D768EA1887A8
          Function 0040F84D Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMON
          Download Yara Rule
          APIs
          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0041A300), ref: 0040F8B7
          • WideCharToMultiByte.KERNEL32(00000000,00000000,0042364C,000000FF,00000000,0000003F,00000000,?,?), ref: 0040F92F
          • WideCharToMultiByte.KERNEL32(00000000,00000000,004236A0,000000FF,?,0000003F,00000000,?), ref: 0040F95C
          • _free.LIBCMT ref: 0040F8A5
            • Part of subcall function 0040A0D4: HeapFree.KERNEL32(00000000,00000000,?,00411227,?,00000000,?,00000000,?,0041124E,?,00000007,?,?,0041152E,?), ref: 0040A0EA
            • Part of subcall function 0040A0D4: GetLastError.KERNEL32(?,?,00411227,?,00000000,?,00000000,?,0041124E,?,00000007,?,?,0041152E,?,?), ref: 0040A0FC
          • _free.LIBCMT ref: 0040FA71
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
          • String ID:
          • API String ID: 1286116820-0
          • Opcode ID: 3443a37033e945fa2b53bc3ad2ee1a8a9d5b2c65e4f063bc3abbfb03ef45b6c8
          • Instruction ID: cee3b39c58479669088341a85f3fdcd137ff0b1e9710cf7f20b44d28e7aa8d18
          • Opcode Fuzzy Hash: 3443a37033e945fa2b53bc3ad2ee1a8a9d5b2c65e4f063bc3abbfb03ef45b6c8
          • Instruction Fuzzy Hash: 8251C7B1A00205BBC730EFB59C41AAAB7BCAB84714B50427FE554B37D1D7389E49CB58
          Function 004054A9 Relevance: 6.1, APIs: 4, Instructions: 75COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • IsProcessorFeaturePresent.KERNEL32(00000017,?,00000007), ref: 004054B6
          • IsDebuggerPresent.KERNEL32(?,?,?,00000017,?,00000007), ref: 0040557E
          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,00000017,?,00000007), ref: 0040559D
          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,00000017,?,00000007), ref: 004055A7
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
          • String ID:
          • API String ID: 254469556-0
          • Opcode ID: 404194f505ab6bcc554436712299a4a2aff77fb66b116873bf98776274aa3698
          • Instruction ID: 2c3cb7413c07a9c782ae6c42a12524f6d5191052f304192687f7892d7edc3cd0
          • Opcode Fuzzy Hash: 404194f505ab6bcc554436712299a4a2aff77fb66b116873bf98776274aa3698
          • Instruction Fuzzy Hash: A53107B5D0522CDBDB20DFA5D9896CEBBB8FF48305F1041AAE40DAB250E7345A84CF84
          Function 004058A0 Relevance: 6.1, APIs: 4, Instructions: 53timethreadCOMMON
          Download Yara Rule
          APIs
          • GetSystemTimeAsFileTime.KERNEL32 ref: 004058CF
          • GetCurrentThreadId.KERNEL32 ref: 004058DE
          • GetCurrentProcessId.KERNEL32 ref: 004058E7
          • QueryPerformanceCounter.KERNEL32(?), ref: 004058F4
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
          • String ID:
          • API String ID: 2933794660-0
          • Opcode ID: 1b3a825cc706b74735f712516263f2fb5b8ac3cc0a29f07f8ba54018fa2c8f50
          • Instruction ID: fbfe4691f84679fef18e7ff33e83e5debe7ff519a6be1f3678a07b2cc86d359d
          • Opcode Fuzzy Hash: 1b3a825cc706b74735f712516263f2fb5b8ac3cc0a29f07f8ba54018fa2c8f50
          • Instruction Fuzzy Hash: 8D11E075D05A08DBCB14CBB4E9481EEBBB0EB4C310B91857BD803E7280DB348A01CF49
          Function 00409371 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • IsDebuggerPresent.KERNEL32 ref: 00409469
          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00409473
          • UnhandledExceptionFilter.KERNEL32(?), ref: 00409480
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: ExceptionFilterUnhandled$DebuggerPresent
          • String ID:
          • API String ID: 3906539128-0
          • Opcode ID: 6d05ee05fdbd1b9a0dd489d33e8ae2999e111935a8bff4fc6c0049eb1948d3fa
          • Instruction ID: 56c3b2a019c41920525924eedc28813e36dcba2a4ad85c36c50cd910d3ea6526
          • Opcode Fuzzy Hash: 6d05ee05fdbd1b9a0dd489d33e8ae2999e111935a8bff4fc6c0049eb1948d3fa
          • Instruction Fuzzy Hash: C631C274901218ABCB21DF65D9897DDBBB8BF48310F5046EAE80CA7291E7349F818F48
          Function 0040A60E Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • GetCurrentProcess.KERNEL32(00000003,?,0040A5E4,00000003,00420690,0000000C,0040A6F7,00000003,00000002,00000000,?,0040A0B7,00000003), ref: 0040A62F
          • TerminateProcess.KERNEL32(00000000,?,0040A5E4,00000003,00420690,0000000C,0040A6F7,00000003,00000002,00000000,?,0040A0B7,00000003), ref: 0040A636
          • ExitProcess.KERNEL32 ref: 0040A648
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: Process$CurrentExitTerminate
          • String ID:
          • API String ID: 1703294689-0
          • Opcode ID: 721ab978f54cbce462c27a4fe3a09cb37437b04cd829fb710bf6f337512a355f
          • Instruction ID: 693879e349d8a07138d15f2ebcff5f69683aa6f8293a49bea3ff601a8daea9ae
          • Opcode Fuzzy Hash: 721ab978f54cbce462c27a4fe3a09cb37437b04cd829fb710bf6f337512a355f
          • Instruction Fuzzy Hash: 6AE04F32000604EFCF016F60CC08AC93F39EF44741B048435F94966262CB3ADD53CA9D
          Function 0041001A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID:
          • String ID: .
          • API String ID: 0-248832578
          • Opcode ID: 84ff70338844bd67db4b350683bc4fc1026f035b19550438ac572cb5ccaebd5c
          • Instruction ID: 93c8551c73d181b4ab92a0685c27e4cfad7802c168bc609c6a23fdb1d29a0aa5
          • Opcode Fuzzy Hash: 84ff70338844bd67db4b350683bc4fc1026f035b19550438ac572cb5ccaebd5c
          • Instruction Fuzzy Hash: 6E31F471900209BFCB249E79DC84EFB7BADDB85304F1041AEF41897252E6B99DC18B54
          Function 0040D7AF Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?,?,?,0040D7AA,?,?,?,?,?,?,00000000), ref: 0040D9DC
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: ExceptionRaise
          • String ID:
          • API String ID: 3997070919-0
          • Opcode ID: 6ee6114958ef5b940a365093dfef52e91a631aab357f1a753731accc93427e7c
          • Instruction ID: 7779b2fec0980917fd9de0f92ead704795e76caf878fd6bc5e49e2f076afb18b
          • Opcode Fuzzy Hash: 6ee6114958ef5b940a365093dfef52e91a631aab357f1a753731accc93427e7c
          • Instruction Fuzzy Hash: 86B16B72A10608DFD718CF68C486B657BE0FF45324F258669E899DF2E1C339E986CB44
          Function 0040563B Relevance: 1.5, APIs: 1, Instructions: 3COMMON
          Download Yara Rule
          APIs
          • SetUnhandledExceptionFilter.KERNEL32(Function_00005647,004051A1), ref: 00405640
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: ExceptionFilterUnhandled
          • String ID:
          • API String ID: 3192549508-0
          • Opcode ID: c941ad497f0eaebb4d9a4deb7122c6e295a3ee5fce6079653569e34823ac70f0
          • Instruction ID: b30fad5db58dceec2b94860587723317c94b67e66f094e628d3c2fe363f57e98
          • Opcode Fuzzy Hash: c941ad497f0eaebb4d9a4deb7122c6e295a3ee5fce6079653569e34823ac70f0
          • Instruction Fuzzy Hash:
          Function 0040D430 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: HeapProcess
          • String ID:
          • API String ID: 54951025-0
          • Opcode ID: 61ec7acb2f29f43c711cdb9fa6988f24fe5123dd91ef8e0ede4c2ec2a456dc9a
          • Instruction ID: ec319743ba999b14c5b36b7db05a41e1a9341160322eae14b836442ef7f3742e
          • Opcode Fuzzy Hash: 61ec7acb2f29f43c711cdb9fa6988f24fe5123dd91ef8e0ede4c2ec2a456dc9a
          • Instruction Fuzzy Hash: DBA01230701200DB43118F319A0434C76E8655518170180345000C0220DA2440004A08
          Function 0040DEC9 Relevance: .6, Instructions: 637COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 3a49be35e42ad91bd8ae451549b3abc82ae36c2bad44d9dc37428738df5aac6a
          • Instruction ID: e1cf9e6faf36b8add5926323722615d690e454bc73e106785dde56bdd673a75a
          • Opcode Fuzzy Hash: 3a49be35e42ad91bd8ae451549b3abc82ae36c2bad44d9dc37428738df5aac6a
          • Instruction Fuzzy Hash: 07324421D29F014DD7239635D822336A68CAFB73D4F15CB37F81AB5AA6EB39C4930109
          Function 00405FB0 Relevance: .1, Instructions: 76COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
          • Instruction ID: 48e740e85c0ba13e9a39178d6675e0207deff7deda563336be704961b392fadd
          • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
          • Instruction Fuzzy Hash: BB112EB728004243E614CA2DC5B45B7A796EFC6324B2E437BD0439B7D4D63FD565AE08
          Function 004023B0 Relevance: .0, Instructions: 28COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 6fd100cc5fbd715ecb011839e5036f548278fb3c62fe5b5825335654aac5a513
          • Instruction ID: 6e0bbde72fb14e28d293faa79a21a47684c70f3d5d039a1569678be7d820ba02
          • Opcode Fuzzy Hash: 6fd100cc5fbd715ecb011839e5036f548278fb3c62fe5b5825335654aac5a513
          • Instruction Fuzzy Hash: 1CF0A035704604AFCB14CF24D994F2AB7E8FB09B10F1082BEE81ACB7D0DB79A801CA44
          Function 00411396 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 209 411396-4113aa 210 411418-411420 209->210 211 4113ac-4113b1 209->211 213 411422-411425 210->213 214 411467-41147f call 411509 210->214 211->210 212 4113b3-4113b8 211->212 212->210 215 4113ba-4113bd 212->215 213->214 217 411427-411464 call 40a0d4 * 4 213->217 223 411482-411489 214->223 215->210 218 4113bf-4113c7 215->218 217->214 221 4113e1-4113e9 218->221 222 4113c9-4113cc 218->222 228 411403-411417 call 40a0d4 * 2 221->228 229 4113eb-4113ee 221->229 222->221 225 4113ce-4113e0 call 40a0d4 call 411092 222->225 226 4114a8-4114ac 223->226 227 41148b-41148f 223->227 225->221 231 4114c4-4114d0 226->231 232 4114ae-4114b3 226->232 235 411491-411494 227->235 236 4114a5 227->236 228->210 229->228 237 4113f0-411402 call 40a0d4 call 411190 229->237 231->223 242 4114d2-4114df call 40a0d4 231->242 239 4114c1 232->239 240 4114b5-4114b8 232->240 235->236 244 411496-4114a4 call 40a0d4 * 2 235->244 236->226 237->228 239->231 240->239 249 4114ba-4114c0 call 40a0d4 240->249 244->236 249->239
          APIs
          • ___free_lconv_mon.LIBCMT ref: 004113DA
            • Part of subcall function 00411092: _free.LIBCMT ref: 004110AF
            • Part of subcall function 00411092: _free.LIBCMT ref: 004110C1
            • Part of subcall function 00411092: _free.LIBCMT ref: 004110D3
            • Part of subcall function 00411092: _free.LIBCMT ref: 004110E5
            • Part of subcall function 00411092: _free.LIBCMT ref: 004110F7
            • Part of subcall function 00411092: _free.LIBCMT ref: 00411109
            • Part of subcall function 00411092: _free.LIBCMT ref: 0041111B
            • Part of subcall function 00411092: _free.LIBCMT ref: 0041112D
            • Part of subcall function 00411092: _free.LIBCMT ref: 0041113F
            • Part of subcall function 00411092: _free.LIBCMT ref: 00411151
            • Part of subcall function 00411092: _free.LIBCMT ref: 00411163
            • Part of subcall function 00411092: _free.LIBCMT ref: 00411175
            • Part of subcall function 00411092: _free.LIBCMT ref: 00411187
          • _free.LIBCMT ref: 004113CF
            • Part of subcall function 0040A0D4: HeapFree.KERNEL32(00000000,00000000,?,00411227,?,00000000,?,00000000,?,0041124E,?,00000007,?,?,0041152E,?), ref: 0040A0EA
            • Part of subcall function 0040A0D4: GetLastError.KERNEL32(?,?,00411227,?,00000000,?,00000000,?,0041124E,?,00000007,?,?,0041152E,?,?), ref: 0040A0FC
          • _free.LIBCMT ref: 004113F1
          • _free.LIBCMT ref: 00411406
          • _free.LIBCMT ref: 00411411
          • _free.LIBCMT ref: 00411433
          • _free.LIBCMT ref: 00411446
          • _free.LIBCMT ref: 00411454
          • _free.LIBCMT ref: 0041145F
          • _free.LIBCMT ref: 00411497
          • _free.LIBCMT ref: 0041149E
          • _free.LIBCMT ref: 004114BB
          • _free.LIBCMT ref: 004114D3
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
          • String ID:
          • API String ID: 161543041-0
          • Opcode ID: 6948097937a93bc79f347b0239b9d3e03f7c2ed127d1936b30172035711646f9
          • Instruction ID: c3e3b1c69a3f208cfc80e5f5fa68dd56a74046792277ba31cc9222323f4b6648
          • Opcode Fuzzy Hash: 6948097937a93bc79f347b0239b9d3e03f7c2ed127d1936b30172035711646f9
          • Instruction Fuzzy Hash: C4316D326043099EEB309F7AD845B9B73E8AF00714F15442FE259E76A1DB3DAC90D729
          Function 0040BBE8 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 266 40bbe8-40bbf9 267 40bc05-40bc90 call 40a0d4 * 9 call 40baae call 40bafe 266->267 268 40bbfb-40bc04 call 40a0d4 266->268 268->267
          APIs
          • _free.LIBCMT ref: 0040BBFC
            • Part of subcall function 0040A0D4: HeapFree.KERNEL32(00000000,00000000,?,00411227,?,00000000,?,00000000,?,0041124E,?,00000007,?,?,0041152E,?), ref: 0040A0EA
            • Part of subcall function 0040A0D4: GetLastError.KERNEL32(?,?,00411227,?,00000000,?,00000000,?,0041124E,?,00000007,?,?,0041152E,?,?), ref: 0040A0FC
          • _free.LIBCMT ref: 0040BC08
          • _free.LIBCMT ref: 0040BC13
          • _free.LIBCMT ref: 0040BC1E
          • _free.LIBCMT ref: 0040BC29
          • _free.LIBCMT ref: 0040BC34
          • _free.LIBCMT ref: 0040BC3F
          • _free.LIBCMT ref: 0040BC4A
          • _free.LIBCMT ref: 0040BC55
          • _free.LIBCMT ref: 0040BC63
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: _free$ErrorFreeHeapLast
          • String ID:
          • API String ID: 776569668-0
          • Opcode ID: a67545f4090f87f4ce43d628bc50666b59a916dea7e958812169f1c9f9eab329
          • Instruction ID: 48553cfbb76d33e2d3673e81f8a837f49d6e368abddba18f1e8eacc9daa22871
          • Opcode Fuzzy Hash: a67545f4090f87f4ce43d628bc50666b59a916dea7e958812169f1c9f9eab329
          • Instruction Fuzzy Hash: 6B11A77611424CEFCF01EF96C842CD97B65EF04354B1140AABA085B262DB3BDE60EB89
          Function 00413DD6 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 268COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 293 413dd6-413e08 294 413e0a-413e17 call 40a0b8 293->294 295 413e2c-413e2f 293->295 297 413e18-413e1d 294->297 296 413e31-413e33 295->296 295->297 301 41406a-41407d call 404b16 296->301 299 413e38-413e3b 297->299 300 413e1f-413e2a call 40a0b8 297->300 299->296 304 413e3d-413e42 299->304 300->304 307 413e44-413e4c 304->307 308 413e4f-413e51 304->308 307->308 310 413e53-413e55 308->310 311 413e5b-413e5d 308->311 310->311 312 413ef8-413f10 MultiByteToWideChar 310->312 313 413e67-413e6a 311->313 314 413e5f 311->314 312->296 315 413f16-413f22 312->315 317 413e74-413e77 313->317 318 413e6c-413e6f 313->318 316 413e61-413e62 314->316 321 413f24-413f35 315->321 322 413f7d-413f7f 315->322 316->301 319 413e79-413e7b 317->319 320 413e7d-413e8a GetCPInfo 317->320 318->301 319->316 320->296 324 413e8c-413e8e 320->324 325 413f57-413f5d 321->325 326 413f37-413f49 call 405410 321->326 323 413f82-413f84 322->323 327 413f8a-413fa0 MultiByteToWideChar 323->327 328 41405e 323->328 329 413e90-413e96 324->329 330 413ebf-413ec1 324->330 332 413f5e call 409b44 325->332 326->328 341 413f4f-413f55 326->341 327->328 333 413fa6-413fba MultiByteToWideChar 327->333 336 414061-414068 call 404af8 328->336 329->319 334 413e98-413e9f 329->334 330->312 337 413ec3-413ec9 330->337 338 413f63-413f69 332->338 333->328 339 413fc0-413fcc 333->339 334->319 340 413ea1-413ea6 334->340 336->301 337->318 343 413ecb-413ed2 337->343 338->328 344 413f6f 338->344 345 414018 339->345 346 413fce-413fdf 339->346 340->319 347 413ea8-413eac 340->347 348 413f75-413f7b 341->348 343->318 350 413ed4 343->350 344->348 356 41401a-41401c 345->356 351 413fe1-413ff0 call 405410 346->351 352 413ffa-414000 346->352 353 413eb6-413ebb 347->353 354 413eae-413eb0 347->354 348->323 355 413ed7-413edc 350->355 357 414052 351->357 372 413ff2-413ff8 351->372 361 414001 call 409b44 352->361 353->340 360 413ebd 353->360 354->301 354->353 355->318 362 413ede-413ee2 355->362 356->357 358 41401e-414033 MultiByteToWideChar 356->358 366 414055-41405c call 404af8 357->366 358->357 365 414035-414050 call 40c552 358->365 360->319 368 414006-41400b 361->368 363 413ee4-413ee6 362->363 364 413eec-413ef1 362->364 363->301 363->364 364->355 369 413ef3 364->369 365->366 366->336 368->357 373 41400d 368->373 369->318 376 414013-414016 372->376 373->376 376->356
          APIs
          • GetCPInfo.KERNEL32(004140AF,?,?,7FFFFFFF,?,?,Xj0f,004140AF,?,?,?,?,?,?,?,66306A58), ref: 00413E82
          • MultiByteToWideChar.KERNEL32(004140AF,00000009,?,?,00000000,00000000,?,Xj0f,004140AF,?,?,?,?,?,?,?), ref: 00413F05
          • MultiByteToWideChar.KERNEL32(004140AF,00000001,?,?,00000000,?,?,Xj0f,004140AF,?,?,?,?,?,?,?), ref: 00413F98
          • MultiByteToWideChar.KERNEL32(004140AF,00000009,004140AF,?,00000000,00000000,?,Xj0f,004140AF,?,?,?,?,?,?,?), ref: 00413FAF
            • Part of subcall function 00409B44: HeapAlloc.KERNEL32(00000000,?,?,?,004071B5,?,?,?,?,?,0040232D,00404584,?,?,00404584), ref: 00409B76
          • MultiByteToWideChar.KERNEL32(004140AF,00000001,004140AF,?,00000000,?,?,Xj0f,004140AF,?,?,?,?,?,?,?), ref: 0041402B
          • __freea.LIBCMT ref: 00414056
          • __freea.LIBCMT ref: 00414062
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: ByteCharMultiWide$__freea$AllocHeapInfo
          • String ID: Xj0f
          • API String ID: 2171645-287982649
          • Opcode ID: 8ca8590afd9faeddc56944c5881a59f4c9234a53216bebeb6f83dead52eff06f
          • Instruction ID: 5165c60ab54c1a2ed8f89255d6defbb5e83309102b0ac90782e38da0fcb7c16f
          • Opcode Fuzzy Hash: 8ca8590afd9faeddc56944c5881a59f4c9234a53216bebeb6f83dead52eff06f
          • Instruction Fuzzy Hash: 4991D372E003169ADF209F65C841AEFBBB5AF49710F14416BE915E7280D739DDC1CBA8
          Function 00410BFF Relevance: 13.7, APIs: 9, Instructions: 209COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 377 410bff-410c0d 378 410c1f-410c32 call 407060 377->378 379 410c0f-410c1d call 409a86 377->379 385 410c82-410c87 call 409a86 378->385 386 410c34-410c36 378->386 384 410c9b-410c9f 379->384 392 410c8d 385->392 386->385 388 410c38-410c4e 386->388 390 410c50-410c5c call 410e3a 388->390 391 410c62-410c66 388->391 390->391 394 410cfa-410d0f call 410eeb 391->394 395 410c6c-410c6f 391->395 396 410c90-410c9a call 40a0d4 392->396 407 410d11-410d13 394->407 408 410d59-410d5c 394->408 399 410c71-410c77 395->399 400 410ca0-410ca2 395->400 396->384 399->400 405 410c79-410c80 call 40acf1 399->405 403 410ca4-410ca6 400->403 404 410ca8-410caa 400->404 403->396 409 410cac call 409fb1 404->409 405->385 415 410cf0 405->415 407->408 413 410d15-410d24 call 40a0d4 407->413 408->396 412 410d62-410d6c 408->412 414 410cb1-410cc7 call 40a0d4 409->414 412->392 416 410d72-410d78 412->416 425 410d26-410d2e 413->425 426 410d38-410d3b 413->426 414->392 423 410cc9-410ccf 414->423 419 410cf6-410cf8 415->419 416->392 420 410d7e-410d94 call 410f4a call 40a0d4 416->420 419->392 419->394 420->392 440 410d9a-410da5 420->440 423->419 428 410cd1-410cd3 423->428 427 410daf-410db2 425->427 429 410d30-410d37 426->429 430 410d3d-410d55 call 410f4a call 40a0d4 426->430 427->396 433 410db8-410dba 427->433 432 410cd5 call 409fb1 428->432 429->426 430->427 449 410d57 430->449 436 410cda-410cee call 40a0d4 432->436 437 410dbd-410dc2 433->437 436->392 436->415 437->437 442 410dc4-410dcc 437->442 444 410da9 440->444 446 410dcf call 409fb1 442->446 444->427 448 410dd4-410dda 446->448 450 410e23-410e2a call 40a0d4 448->450 451 410ddc-410ded call 409317 448->451 449->444 450->396 456 410e2f 451->456 457 410def-410e13 SetEnvironmentVariableA 451->457 458 410e34 call 409568 456->458 457->450 459 410e15-410e1d call 409a86 457->459 460 410e39 458->460 459->450
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
          • String ID:
          • API String ID: 1282221369-0
          • Opcode ID: 0c7fa12dbec1ef7520115cce65805f1284c8e539b35b5cadf8115085c372d76b
          • Instruction ID: bd5c10ff3c59d4f406f930c3cde5030183181efdbd96f99f595e2c86a631d60a
          • Opcode Fuzzy Hash: 0c7fa12dbec1ef7520115cce65805f1284c8e539b35b5cadf8115085c372d76b
          • Instruction Fuzzy Hash: 7E612871A04301AFDB38AF7598417AA77A4AF01314F1442BFF944A7381E6BD99C18B9D
          Function 004038E0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 216libraryloaderCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 463 4038e0-403929 464 40392b-40392d 463->464 465 40392f 463->465 466 403931-40393b GetFileAttributesW 464->466 465->466 467 403bd0-403be9 call 401820 466->467 468 403941-403943 466->468 472 403bee-403c0b call 404b16 467->472 468->467 469 403949-40397f call 401270 call 4041c0 468->469 478 403981-40398f call 401c70 469->478 479 403994-4039be call 4011a0 469->479 478->479 483 4039c0-4039e7 call 401820 479->483 484 403a05-403a09 479->484 483->472 490 4039ed-403a00 call 401c70 483->490 486 403a0b-403a0d 484->486 487 403a0f 484->487 489 403a11-403a1b GetFileAttributesW 486->489 487->489 491 403a21-403a23 489->491 492 403b92-403bb9 call 401820 489->492 490->472 491->492 495 403a29-403a2d 491->495 492->472 500 403bbb-403bce call 401c70 492->500 498 403a31-403a42 LoadLibraryW 495->498 499 403a2f 495->499 501 403a44-403a63 call 401820 call 401410 498->501 502 403a68-403aa6 call 401820 GetProcAddress 498->502 499->498 500->472 501->472 510 403b65-403b90 FreeLibrary call 401450 call 401410 * 2 502->510 511 403aac-403ab0 502->511 510->472 514 403ab2-403ab4 511->514 515 403ab6 511->515 517 403ab8-403aff call 4025c0 call 409317 514->517 515->517 527 403b01-403b30 call 4024a0 call 402d10 call 401410 517->527 528 403b4a-403b55 call 403f60 517->528 532 403b5a-403b60 call 401530 527->532 538 403b32-403b3a 527->538 528->532 532->510 538->532 539 403b3c-403b48 call 401820 538->539 539->532
          APIs
          • GetFileAttributesW.KERNEL32(?,C5937A0D), ref: 00403932
          • GetFileAttributesW.KERNEL32(00000000), ref: 00403A12
          • LoadLibraryW.KERNEL32 ref: 00403A32
          • GetProcAddress.KERNEL32(00000000,ShowEngineChoice), ref: 00403A98
          • FreeLibrary.KERNEL32(00000000), ref: 00403B66
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: AttributesFileLibrary$AddressFreeLoadProc
          • String ID: Builds\$ShowEngineChoice
          • API String ID: 1170010538-1704591504
          • Opcode ID: 05081c2cd0ad7e37283d0b5abf5e49dd46763fc5f060554cd6a7b137e7f9392f
          • Instruction ID: de1ddf5754e0430927df7d71477b2fb86df1c92578392477b91780301d0b4d69
          • Opcode Fuzzy Hash: 05081c2cd0ad7e37283d0b5abf5e49dd46763fc5f060554cd6a7b137e7f9392f
          • Instruction Fuzzy Hash: C28191709042149BCB20DF25CD45BDABBB8AF45319F1006BEE419B72E1DB78AF44CB99
          Function 0040F678 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 542 40f678-40f6a0 call 40f2b7 call 40f315 547 40f840-40f875 call 409568 call 40f2b7 call 40f315 542->547 548 40f6a6-40f6b2 call 40f2bd 542->548 570 40f87b-40f887 call 40f2bd 547->570 571 40f99d-40f9f9 call 409568 call 412741 547->571 548->547 554 40f6b8-40f6c3 548->554 556 40f6c5-40f6c7 554->556 557 40f6f9-40f702 call 40a0d4 554->557 560 40f6c9-40f6cd 556->560 569 40f705-40f70a 557->569 562 40f6e9-40f6eb 560->562 563 40f6cf-40f6d1 560->563 568 40f6ee-40f6f0 562->568 566 40f6d3-40f6d9 563->566 567 40f6e5-40f6e7 563->567 566->562 572 40f6db-40f6e3 566->572 567->568 573 40f6f6 568->573 574 40f83a-40f83f 568->574 569->569 575 40f70c-40f72d call 409b44 call 40a0d4 569->575 570->571 583 40f88d-40f899 call 40f2e9 570->583 592 40fa03-40fa06 571->592 593 40f9fb-40fa01 571->593 572->560 572->567 573->557 575->574 588 40f733-40f736 575->588 583->571 594 40f89f-40f8c0 call 40a0d4 GetTimeZoneInformation 583->594 591 40f739-40f73e 588->591 591->591 595 40f740-40f752 call 409317 591->595 596 40fa49-40fa5b 592->596 598 40fa08-40fa18 call 409b44 592->598 593->596 606 40f8c6-40f8e7 594->606 607 40f979-40f99c call 40f2b1 call 40f2a5 call 40f2ab 594->607 595->547 610 40f758-40f76b call 4092a8 595->610 600 40fa6b call 40f84d 596->600 601 40fa5d-40fa60 596->601 616 40fa22-40fa3b call 412741 598->616 617 40fa1a 598->617 615 40fa70-40fa87 call 40a0d4 call 404b16 600->615 601->600 605 40fa62-40fa69 call 40f678 601->605 605->615 613 40f8f1-40f8f8 606->613 614 40f8e9-40f8ee 606->614 610->547 638 40f771-40f774 610->638 622 40f910-40f913 613->622 623 40f8fa-40f901 613->623 614->613 636 40fa40-40fa46 call 40a0d4 616->636 637 40fa3d-40fa3e 616->637 625 40fa1b-40fa20 call 40a0d4 617->625 627 40f916-40f937 call 409f19 WideCharToMultiByte 622->627 623->622 630 40f903-40f90e 623->630 641 40fa48 625->641 647 40f945-40f947 627->647 648 40f939-40f93c 627->648 630->627 636->641 637->625 644 40f776-40f77a 638->644 645 40f77c-40f785 638->645 641->596 644->638 644->645 650 40f787 645->650 651 40f788-40f795 call 40b82c 645->651 654 40f949-40f965 WideCharToMultiByte 647->654 648->647 653 40f93e-40f943 648->653 650->651 660 40f798-40f79c 651->660 653->654 656 40f974-40f977 654->656 657 40f967-40f96a 654->657 656->607 657->656 659 40f96c-40f972 657->659 659->607 661 40f7a6-40f7a7 660->661 662 40f79e-40f7a0 660->662 661->660 663 40f7a2-40f7a4 662->663 664 40f7a9-40f7ac 662->664 663->661 663->664 665 40f7f0-40f7f2 664->665 666 40f7ae-40f7c1 call 40b82c 664->666 667 40f7f4-40f7f6 665->667 668 40f7f9-40f808 665->668 674 40f7c8-40f7cc 666->674 667->668 670 40f820-40f823 668->670 671 40f80a-40f81c call 4092a8 668->671 675 40f826-40f838 call 40f2b1 call 40f2a5 670->675 671->675 680 40f81e 671->680 677 40f7c3-40f7c5 674->677 678 40f7ce-40f7d1 674->678 675->574 677->678 681 40f7c7 677->681 678->665 682 40f7d3-40f7e3 call 40b82c 678->682 680->547 681->674 688 40f7ea-40f7ee 682->688 688->665 689 40f7e5-40f7e7 688->689 689->665 690 40f7e9 689->690 690->688
          APIs
          • _free.LIBCMT ref: 0040F6FA
          • _free.LIBCMT ref: 0040F71E
          • _free.LIBCMT ref: 0040F8A5
          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0041A300), ref: 0040F8B7
          • WideCharToMultiByte.KERNEL32(00000000,00000000,0042364C,000000FF,00000000,0000003F,00000000,?,?), ref: 0040F92F
          • WideCharToMultiByte.KERNEL32(00000000,00000000,004236A0,000000FF,?,0000003F,00000000,?), ref: 0040F95C
          • _free.LIBCMT ref: 0040FA71
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: _free$ByteCharMultiWide$InformationTimeZone
          • String ID:
          • API String ID: 314583886-0
          • Opcode ID: 2f3de6c35d8385d90fb8044a193a1e4022d0d86cff54acdf12507dcd31735b38
          • Instruction ID: f34340c50701b21fb60fb4a77825ae8e54528bb199af36bb642f04b450799509
          • Opcode Fuzzy Hash: 2f3de6c35d8385d90fb8044a193a1e4022d0d86cff54acdf12507dcd31735b38
          • Instruction Fuzzy Hash: 61C12872A00205ABCB309F799841BAABBB9AF41314F1441BFE840B77D1D73D9E4AC759
          Function 004030E0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 281registryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 691 4030e0-40316e 692 403170-403172 691->692 693 403174 691->693 694 403176-4031ad 692->694 693->694 695 4031b0-4031e2 call 401720 RegOpenKeyExW 694->695 698 403222-403228 695->698 699 4031e4-403218 RegQueryValueExW 695->699 698->695 702 40322a 698->702 700 40321a-403220 RegCloseKey 699->700 701 40322f-403237 699->701 700->698 704 403239-40323b 701->704 705 40323d-403243 701->705 703 4032cf-4032d3 702->703 706 4032d9-403303 call 401270 call 404050 703->706 707 40345e-403467 703->707 708 403255-40327d call 401720 call 401270 704->708 709 403246-40324f 705->709 732 403381-40338a 706->732 733 403305-40330b 706->733 711 4034c0-4034dd call 404b16 707->711 712 403469-403475 707->712 736 403289-403296 708->736 737 40327f-403284 call 401820 708->737 709->709 714 403251-403253 709->714 717 403477 call 40954b 712->717 718 40347c-403483 712->718 714->708 717->718 723 403485-40348c 718->723 724 4034b7-4034bd call 404d59 718->724 726 403493-403498 723->726 727 40348e call 40954b 723->727 724->711 734 40349a call 40954b 726->734 735 40349f-4034a4 726->735 727->726 739 4033e3-403409 732->739 740 40338c-403398 732->740 741 403318-40332a 733->741 742 40330d-403313 call 401c70 733->742 734->735 745 4034a6 call 40954b 735->745 746 4034ab-4034ae 735->746 747 403298-4032a6 call 401c70 736->747 748 4032ab-4032b2 736->748 737->736 739->707 754 40340b-403417 739->754 749 40339a call 40954b 740->749 750 40339f-4033a6 740->750 752 403330 741->752 753 40332c-40332e 741->753 742->741 745->746 757 4034b0 call 40954b 746->757 758 4034b5 746->758 747->748 748->703 759 4032b4-4032c9 SetCurrentDirectoryW 748->759 749->750 761 4033a8-4033af 750->761 762 4033da-4033e0 call 404d59 750->762 763 403332-40333b 752->763 753->763 764 403419 call 40954b 754->764 765 40341e-403425 754->765 757->758 758->724 759->703 768 4033b1 call 40954b 761->768 769 4033b6-4033bb 761->769 762->739 770 403354-403358 763->770 771 40333d-403343 763->771 764->765 773 403455-40345b call 404d59 765->773 774 403427-40342a 765->774 768->769 778 4033c2-4033c7 769->778 779 4033bd call 40954b 769->779 781 40335a-403378 770->781 780 403345-403352 call 405a30 771->780 771->781 773->707 782 403431-403436 774->782 783 40342c call 40954b 774->783 787 4033c9 call 40954b 778->787 788 4033ce-4033d1 778->788 779->778 780->781 790 40337a 781->790 791 40337c-40337e 781->791 792 403438 call 40954b 782->792 793 40343d-403442 782->793 783->782 787->788 798 4033d3 call 40954b 788->798 799 4033d8 788->799 790->791 791->732 792->793 794 403444 call 40954b 793->794 795 403449-40344c 793->795 794->795 803 403453 795->803 804 40344e call 40954b 795->804 798->799 799->762 803->773 804->803
          APIs
          • RegOpenKeyExW.ADVAPI32(80000001,Software\Image-Line\Shared\Paths,00000000,00020019,?,0041F3E0,00000000,C5937A0D), ref: 004031DA
          • RegQueryValueExW.ADVAPI32(?,FL Studio engine,00000000,?,?,?), ref: 00403210
          • RegCloseKey.ADVAPI32(?), ref: 00403220
          • SetCurrentDirectoryW.KERNEL32(?,00000000,-00000002), ref: 004032C9
          Strings
          • Software\Image-Line\Shared\Paths, xrefs: 004031CE
          • FL Studio engine, xrefs: 00403205
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: CloseCurrentDirectoryOpenQueryValue
          • String ID: FL Studio engine$Software\Image-Line\Shared\Paths
          • API String ID: 560107024-3045882576
          • Opcode ID: 1ae0359c2a9daeafde217d5f520328ae5fb480cd08f2ba52420d0b095b6717eb
          • Instruction ID: d9aca2f66e9e14c5e08ca7a59a44d8ca8ae13f807f69bbcddbd0e91051e932eb
          • Opcode Fuzzy Hash: 1ae0359c2a9daeafde217d5f520328ae5fb480cd08f2ba52420d0b095b6717eb
          • Instruction Fuzzy Hash: 1DB1B3709002149BDB25EF25DC8879EBAB4EF05309F1006BEE41AE72D1DB789F84CB59
          Function 004034E0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 281registryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 806 4034e0-40356e 807 403570-403572 806->807 808 403574 806->808 809 403576-4035ad 807->809 808->809 810 4035b0-4035e2 call 401720 RegOpenKeyExW 809->810 813 403622-403628 810->813 814 4035e4-403618 RegQueryValueExW 810->814 813->810 817 40362a 813->817 815 40361a-403620 RegCloseKey 814->815 816 40362f-403637 814->816 815->813 819 403639-40363b 816->819 820 40363d-403643 816->820 818 4036cf-4036d3 817->818 821 4036d9-403703 call 4041c0 call 404130 818->821 822 40385e-403867 818->822 823 403655-40367d call 401720 call 401270 819->823 824 403646-40364f 820->824 852 403781-40378a 821->852 853 403705-40370b 821->853 825 4038c0-4038dd call 404b16 822->825 826 403869-403875 822->826 848 403689-403696 823->848 849 40367f-403684 call 401820 823->849 824->824 828 403651-403653 824->828 830 403877 call 40954b 826->830 831 40387c-403883 826->831 828->823 830->831 836 403885-40388c 831->836 837 4038b7-4038bd call 404d59 831->837 843 403893-403898 836->843 844 40388e call 40954b 836->844 837->825 846 40389a call 40954b 843->846 847 40389f-4038a4 843->847 844->843 846->847 856 4038a6 call 40954b 847->856 857 4038ab-4038ae 847->857 858 403698-4036a6 call 401c70 848->858 859 4036ab-4036b2 848->859 849->848 860 4037e3-403809 852->860 861 40378c-403798 852->861 862 403718-40372a 853->862 863 40370d-403713 call 401c70 853->863 856->857 870 4038b0 call 40954b 857->870 871 4038b5 857->871 858->859 859->818 872 4036b4-4036c9 SetCurrentDirectoryW 859->872 860->822 867 40380b-403817 860->867 873 40379a call 40954b 861->873 874 40379f-4037a6 861->874 865 403730 862->865 866 40372c-40372e 862->866 863->862 878 403732-40373b 865->878 866->878 879 403819 call 40954b 867->879 880 40381e-403825 867->880 870->871 871->837 872->818 873->874 876 4037a8-4037af 874->876 877 4037da-4037e0 call 404d59 874->877 883 4037b1 call 40954b 876->883 884 4037b6-4037bb 876->884 877->860 885 403754-403758 878->885 886 40373d-403743 878->886 879->880 888 403855-40385b call 404d59 880->888 889 403827-40382a 880->889 883->884 893 4037c2-4037c7 884->893 894 4037bd call 40954b 884->894 896 40375a-403778 885->896 895 403745-403752 call 405a30 886->895 886->896 888->822 897 403831-403836 889->897 898 40382c call 40954b 889->898 902 4037c9 call 40954b 893->902 903 4037ce-4037d1 893->903 894->893 895->896 905 40377a 896->905 906 40377c-40377e 896->906 907 403838 call 40954b 897->907 908 40383d-403842 897->908 898->897 902->903 911 4037d3 call 40954b 903->911 912 4037d8 903->912 905->906 906->852 907->908 914 403844 call 40954b 908->914 915 403849-40384c 908->915 911->912 912->877 914->915 916 403853 915->916 917 40384e call 40954b 915->917 916->888 917->916
          APIs
          • RegOpenKeyExW.ADVAPI32(80000001,Software\Image-Line\Shared\Paths,00000000,00020019,?,0041F3E0,00000000,C5937A0D), ref: 004035DA
          • RegQueryValueExW.ADVAPI32(?,Shared DLLs,00000000,?,?,?), ref: 00403610
          • RegCloseKey.ADVAPI32(?), ref: 00403620
          • SetCurrentDirectoryW.KERNEL32(?,00000000,-00000002), ref: 004036C9
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: CloseCurrentDirectoryOpenQueryValue
          • String ID: Shared DLLs$Software\Image-Line\Shared\Paths
          • API String ID: 560107024-15047795
          • Opcode ID: fb2951c57167801161c0f0967db5a3139c012f4da95c761b7b7e4a9da19dd4cf
          • Instruction ID: 6e996c8f710392308a9c9457fb9a5c140fb766d7203bd62eeb12cb5959cd522a
          • Opcode Fuzzy Hash: fb2951c57167801161c0f0967db5a3139c012f4da95c761b7b7e4a9da19dd4cf
          • Instruction Fuzzy Hash: DCB1B3B19002149ADB24AF25CC8879DBBB5EF05309F1046BEE41AE32D1D779AF84CF59
          Function 0041305D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 921 41305d-4130ba GetConsoleCP 922 4130c0-4130dc 921->922 923 4131fd-41320f call 404b16 921->923 924 4130f7-413108 call 40a00e 922->924 925 4130de-4130f5 922->925 932 41310a-41310d 924->932 933 41312e-413130 924->933 927 413131-413140 call 40b950 925->927 927->923 935 413146-413166 WideCharToMultiByte 927->935 936 413113-413125 call 40b950 932->936 937 4131d4-4131f3 932->937 933->927 935->923 938 41316c-413182 WriteFile 935->938 936->923 944 41312b-41312c 936->944 937->923 940 4131f5-4131fb GetLastError 938->940 941 413184-413195 938->941 940->923 941->923 943 413197-41319b 941->943 945 4131c9-4131cc 943->945 946 41319d-4131bb WriteFile 943->946 944->935 945->922 948 4131d2 945->948 946->940 947 4131bd-4131c1 946->947 947->923 949 4131c3-4131c6 947->949 948->923 949->945
          APIs
          • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,004137D2,?,00000000,?,00000000,00000000), ref: 0041309F
          • __fassign.LIBCMT ref: 0041311A
          • __fassign.LIBCMT ref: 00413135
          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0041315B
          • WriteFile.KERNEL32(?,?,00000000,004137D2,00000000,?,?,?,?,?,?,?,?,?,004137D2,?), ref: 0041317A
          • WriteFile.KERNEL32(?,?,00000001,004137D2,00000000,?,?,?,?,?,?,?,?,?,004137D2,?), ref: 004131B3
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
          • String ID:
          • API String ID: 1324828854-0
          • Opcode ID: a85cf005042ee24a6171e8d11dee10c11e382f092748e9716315bae38fe722a0
          • Instruction ID: 65771749660f6c082f4e6d3f597a9b1f5a1b1864e1e77bfea480567eba9dd0f9
          • Opcode Fuzzy Hash: a85cf005042ee24a6171e8d11dee10c11e382f092748e9716315bae38fe722a0
          • Instruction Fuzzy Hash: 6851B770A00249AFCB10CFA8D885AEEBBF8FF49301F14412BE955E7251D7349A85CB69
          Function 00402F40 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 138libraryCOMMON
          Download Yara Rule
          APIs
          • GetModuleHandleW.KERNEL32(?,C5937A0D,?,00000000,?), ref: 00402FA5
          • GetFileAttributesW.KERNEL32(?,?,C5937A0D,?,00000000,?), ref: 0040304F
          • LoadLibraryW.KERNEL32(?,?,C5937A0D,?,00000000,?), ref: 0040307D
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: AttributesFileHandleLibraryLoadModule
          • String ID: .$_Copy$invalid string position
          • API String ID: 1874533835-1464509366
          • Opcode ID: 23fd22305333a2dffd62d6d05f13bcd70c23ccd8230bfd74617236fc908f2af0
          • Instruction ID: da98474bcf906f3713c5a1b78ce9558ec3c932553f14ae375e9e04e96a442bc2
          • Opcode Fuzzy Hash: 23fd22305333a2dffd62d6d05f13bcd70c23ccd8230bfd74617236fc908f2af0
          • Instruction Fuzzy Hash: 79513C71A04208DACF10DFA5C945BDEBBB8EF49725F50062AE411F32D0DB789A45CBA9
          Function 00411235 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
          Download Yara Rule
          APIs
            • Part of subcall function 004111F9: _free.LIBCMT ref: 00411222
          • _free.LIBCMT ref: 00411283
            • Part of subcall function 0040A0D4: HeapFree.KERNEL32(00000000,00000000,?,00411227,?,00000000,?,00000000,?,0041124E,?,00000007,?,?,0041152E,?), ref: 0040A0EA
            • Part of subcall function 0040A0D4: GetLastError.KERNEL32(?,?,00411227,?,00000000,?,00000000,?,0041124E,?,00000007,?,?,0041152E,?,?), ref: 0040A0FC
          • _free.LIBCMT ref: 0041128E
          • _free.LIBCMT ref: 00411299
          • _free.LIBCMT ref: 004112ED
          • _free.LIBCMT ref: 004112F8
          • _free.LIBCMT ref: 00411303
          • _free.LIBCMT ref: 0041130E
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: _free$ErrorFreeHeapLast
          • String ID:
          • API String ID: 776569668-0
          • Opcode ID: 06ec6540e438d8a09da536fd41d3305855b7a1539a34de379467d2ff3c042619
          • Instruction ID: a198fd2adebaaea5243515d9bd3843b1f186d145754a35d40907218dcc2e8f84
          • Opcode Fuzzy Hash: 06ec6540e438d8a09da536fd41d3305855b7a1539a34de379467d2ff3c042619
          • Instruction Fuzzy Hash: EA115172540B0CBAD530BBB2CC07FCBB79D5F08708F40082EB399660A2EA7DB5995755
          Function 00408398 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • GetLastError.KERNEL32(?,?,0040838F,00406BC4,00420530,00000010,0040638C,?,?,?,?,?,00000000,?), ref: 004083A6
          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004083B4
          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004083CD
          • SetLastError.KERNEL32(00000000,0040838F,00406BC4,00420530,00000010,0040638C,?,?,?,?,?,00000000,?), ref: 0040841F
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: ErrorLastValue___vcrt_
          • String ID:
          • API String ID: 3852720340-0
          • Opcode ID: fc9d39874cf7a0374f305b0c494e64ddacde0b3903fe0cc47774a9f2a3145668
          • Instruction ID: c7df93d7cb5514c336b5a9696235fa9f61e0383ab9539d8bf0fc0785b5252b12
          • Opcode Fuzzy Hash: fc9d39874cf7a0374f305b0c494e64ddacde0b3903fe0cc47774a9f2a3145668
          • Instruction Fuzzy Hash: 8D0128322193267ED6342B75BE85B572A85EB457B8360023FF650B51E1FFB94C02D14C
          Function 0040B1B5 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
          Download Yara Rule
          APIs
          • _free.LIBCMT ref: 0040B1D3
            • Part of subcall function 0040A0D4: HeapFree.KERNEL32(00000000,00000000,?,00411227,?,00000000,?,00000000,?,0041124E,?,00000007,?,?,0041152E,?), ref: 0040A0EA
            • Part of subcall function 0040A0D4: GetLastError.KERNEL32(?,?,00411227,?,00000000,?,00000000,?,0041124E,?,00000007,?,?,0041152E,?,?), ref: 0040A0FC
          • _free.LIBCMT ref: 0040B1E5
          • _free.LIBCMT ref: 0040B1F8
          • _free.LIBCMT ref: 0040B209
          • _free.LIBCMT ref: 0040B21A
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: _free$ErrorFreeHeapLast
          • String ID: `&B
          • API String ID: 776569668-3969561002
          • Opcode ID: 0ed04a65c61fe898eda77a51e80066cf5da9dab8517b67f1d56b517782923a2e
          • Instruction ID: 4e99f16235664ee9690e38a68369d1690a2d3ec36046c759a6a1aae0f7f62b60
          • Opcode Fuzzy Hash: 0ed04a65c61fe898eda77a51e80066cf5da9dab8517b67f1d56b517782923a2e
          • Instruction Fuzzy Hash: B2F0BDB1A00365ABCA35BF25AC414057BB0F704765385823BF915662A1CB7D4B539FCE
          Function 0040CFE5 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
          Download Yara Rule
          APIs
          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,0040D236,?,?,00000003), ref: 0040D03F
          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,?,?,?,0040D236,?,?,00000003), ref: 0040D0C5
          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000003,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0040D1BF
          • __freea.LIBCMT ref: 0040D1CC
            • Part of subcall function 00409B44: HeapAlloc.KERNEL32(00000000,?,?,?,004071B5,?,?,?,?,?,0040232D,00404584,?,?,00404584), ref: 00409B76
          • __freea.LIBCMT ref: 0040D1D5
          • __freea.LIBCMT ref: 0040D1FA
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: ByteCharMultiWide__freea$AllocHeap
          • String ID:
          • API String ID: 3147120248-0
          • Opcode ID: fe2f76ddb0a38e4701cb7393f5050f0a23a0184b85804567e5e93c2d4de6b396
          • Instruction ID: c34399926ba55bb14d524fc379ded5b759b3dbadcd7def488aa6283d5fea1d61
          • Opcode Fuzzy Hash: fe2f76ddb0a38e4701cb7393f5050f0a23a0184b85804567e5e93c2d4de6b396
          • Instruction Fuzzy Hash: 38510672A10206ABDB259FA4CC41EAB77A9EF44754F14423AFD05EB2C0DF38DC45C668
          Function 0040BCDC Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • GetLastError.KERNEL32(?,?,0040B52C,00420718,0000000C,00405687), ref: 0040BCE0
          • _free.LIBCMT ref: 0040BD13
          • _free.LIBCMT ref: 0040BD3B
          • SetLastError.KERNEL32(00000000), ref: 0040BD48
          • SetLastError.KERNEL32(00000000), ref: 0040BD54
          • _abort.LIBCMT ref: 0040BD5A
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: ErrorLast$_free$_abort
          • String ID:
          • API String ID: 3160817290-0
          • Opcode ID: aaf42687d7ffc606aaba6098ffb8d9e52b7e460a829c4a14b4e6d953c0badaef
          • Instruction ID: d242a3280e4ea0b848bb2f7007f2209fb6fbd24f2431a98af98647f32c8e44aa
          • Opcode Fuzzy Hash: aaf42687d7ffc606aaba6098ffb8d9e52b7e460a829c4a14b4e6d953c0badaef
          • Instruction Fuzzy Hash: 9FF0F43224460577C2223726AC06FAB6626DFC1775F25053FFA04B22E1EF3D890251EE
          Function 00402BE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98libraryloaderCOMMON
          Download Yara Rule
          APIs
          • GetFileAttributesW.KERNEL32(?,00423970,00000000,000000FF,C5937A0D,?,?,?,00402B96), ref: 00402C84
          • LoadLibraryW.KERNEL32(?,?,?,?,00402B96), ref: 00402CA1
          • GetProcAddress.KERNEL32(00000000,RunReWirePanel), ref: 00402CB3
          • FreeLibrary.KERNEL32(00000000,?,?,?,00402B96), ref: 00402CC5
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: Library$AddressAttributesFileFreeLoadProc
          • String ID: RunReWirePanel
          • API String ID: 4029741490-963473013
          • Opcode ID: 220b0ec9b74f5377be93692210716a78e0baf94325efc65548a8830abfc54b7b
          • Instruction ID: 6488b852996bd16dc08019f971c11e20d719507276cb5ee2635e9c964b462d1f
          • Opcode Fuzzy Hash: 220b0ec9b74f5377be93692210716a78e0baf94325efc65548a8830abfc54b7b
          • Instruction Fuzzy Hash: 03316031A04209DBDF14DFA4C959BEEB7B4AF09324F64153AE411B32D0D7B85985CAA8
          Function 00408E24 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 51COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: _wcsrchr
          • String ID: .bat$.cmd$.com$.exe
          • API String ID: 1752292252-4019086052
          • Opcode ID: 3fc1bc48a4a7751d509f8da21a16398b1fd01de2a505bc3f2c14766ca8eb7738
          • Instruction ID: b6fd6605b743f34348d915e601607b4c9e83dd63d50c4e11f340ce731c974d97
          • Opcode Fuzzy Hash: 3fc1bc48a4a7751d509f8da21a16398b1fd01de2a505bc3f2c14766ca8eb7738
          • Instruction Fuzzy Hash: 76F06236249B1E75E9242519EE02ADB13894F427F9B28413FFC4CB55C2DE7D998180ED
          Function 00406347 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • ___BuildCatchObject.LIBVCRUNTIME ref: 0040635E
            • Part of subcall function 00406996: ___AdjustPointer.LIBCMT ref: 004069E0
          • _UnwindNestedFrames.LIBCMT ref: 00406375
          • ___FrameUnwindToState.LIBVCRUNTIME ref: 00406387
          • CallCatchBlock.LIBVCRUNTIME ref: 004063AB
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
          • String ID: sg@
          • API String ID: 2633735394-4120294379
          • Opcode ID: 8e90f5c8eb9f3a8744cf03bb1354c1ea2422f4ef47fc7488f4a074b59a9dacde
          • Instruction ID: 7ef967dbf4a95b7153da8dbbdd964b51fe2c92b744254f5ec8080ae61ea075d1
          • Opcode Fuzzy Hash: 8e90f5c8eb9f3a8744cf03bb1354c1ea2422f4ef47fc7488f4a074b59a9dacde
          • Instruction Fuzzy Hash: C3010532400108BBCF126F65CC01EDA3BBAAF49754F06802AFD1976261D73AE9719BA5
          Function 0040A64F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0040A644,00000003,?,0040A5E4,00000003,00420690,0000000C,0040A6F7,00000003,00000002), ref: 0040A66F
          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040A682
          • FreeLibrary.KERNEL32(00000000,?,?,?,0040A644,00000003,?,0040A5E4,00000003,00420690,0000000C,0040A6F7,00000003,00000002,00000000), ref: 0040A6A5
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: AddressFreeHandleLibraryModuleProc
          • String ID: CorExitProcess$mscoree.dll
          • API String ID: 4061214504-1276376045
          • Opcode ID: 9795655132b294b6ed77200db63e4e31ac7cf582c90e3c5b5fe0bfbf990e9267
          • Instruction ID: be8922ad79e942b18d1a88a6f750b82ec20cc5b5b9de9d2dae1f796284c9d412
          • Opcode Fuzzy Hash: 9795655132b294b6ed77200db63e4e31ac7cf582c90e3c5b5fe0bfbf990e9267
          • Instruction Fuzzy Hash: 7BF04431A00608FBCB119F90EC19BDE7FB9EF48715F544075F805B2290DB755E50CA99
          Function 0040AF63 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: _free
          • String ID:
          • API String ID: 269201875-0
          • Opcode ID: 3560e30de7e155783c1a9f2f3b3d6e0cfae7312524d423a2823b58ec1579e24c
          • Instruction ID: 967c99f3be41bd8149f2bb0d9d15683302f605346b9f8901ce092a178fa2f6ff
          • Opcode Fuzzy Hash: 3560e30de7e155783c1a9f2f3b3d6e0cfae7312524d423a2823b58ec1579e24c
          • Instruction Fuzzy Hash: 5F41E272A003049FCB20DF79C881A5AB3A1EF85314F1546BEEA15EB381D735AD02CB89
          Function 00410B7C Relevance: 7.6, APIs: 5, Instructions: 68COMMON
          Download Yara Rule
          APIs
          • GetEnvironmentStringsW.KERNEL32 ref: 00410B85
          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00410BA8
            • Part of subcall function 00409B44: HeapAlloc.KERNEL32(00000000,?,?,?,004071B5,?,?,?,?,?,0040232D,00404584,?,?,00404584), ref: 00409B76
          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00410BCE
          • _free.LIBCMT ref: 00410BE1
          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00410BF0
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
          • String ID:
          • API String ID: 2278895681-0
          • Opcode ID: 72f072a49e6a99132a7dd3bc67e4ce666eec8761613f25c499fa7f45bf9d121a
          • Instruction ID: 7072b3659d0b35b431f8eaa513f3417bb5585d39fb516e420d80c14a405d6ff5
          • Opcode Fuzzy Hash: 72f072a49e6a99132a7dd3bc67e4ce666eec8761613f25c499fa7f45bf9d121a
          • Instruction Fuzzy Hash: 5301DD726096157F53211AF65C88CFFB96DDAC6B68314012BFD04D6200DAA8DC8291B9
          Function 0040BD60 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • GetLastError.KERNEL32(?,?,?,00409A8B,004092D8,?,?,004011CD,?,00000104), ref: 0040BD65
          • _free.LIBCMT ref: 0040BD9A
          • _free.LIBCMT ref: 0040BDC1
          • SetLastError.KERNEL32(00000000,?,00000104), ref: 0040BDCE
          • SetLastError.KERNEL32(00000000,?,00000104), ref: 0040BDD7
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: ErrorLast$_free
          • String ID:
          • API String ID: 3170660625-0
          • Opcode ID: 4d9a13b72cfb8bdc8503e8d19b78d9f9c5aa16ee63b4d681031bd9953bcf6a87
          • Instruction ID: 5f25117c7d9b84b57ede9dfdc4567d6e7c743e31f630e51f5ba88c824c8e2162
          • Opcode Fuzzy Hash: 4d9a13b72cfb8bdc8503e8d19b78d9f9c5aa16ee63b4d681031bd9953bcf6a87
          • Instruction Fuzzy Hash: AC01F432240600A7C2226B766C85E6BB62AEFC2375765013BFA45B22D1EF7DCC0251ED
          Function 00411190 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • _free.LIBCMT ref: 004111A8
            • Part of subcall function 0040A0D4: HeapFree.KERNEL32(00000000,00000000,?,00411227,?,00000000,?,00000000,?,0041124E,?,00000007,?,?,0041152E,?), ref: 0040A0EA
            • Part of subcall function 0040A0D4: GetLastError.KERNEL32(?,?,00411227,?,00000000,?,00000000,?,0041124E,?,00000007,?,?,0041152E,?,?), ref: 0040A0FC
          • _free.LIBCMT ref: 004111BA
          • _free.LIBCMT ref: 004111CC
          • _free.LIBCMT ref: 004111DE
          • _free.LIBCMT ref: 004111F0
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: _free$ErrorFreeHeapLast
          • String ID:
          • API String ID: 776569668-0
          • Opcode ID: e276703debc424d4533bb6ceaeff71e8c48d78241a5b77186f15e6f34d36433b
          • Instruction ID: 7699969ecc13d64f9ba09c80e80d2a7e0edb06926d064be52e5d13629556f3ac
          • Opcode Fuzzy Hash: e276703debc424d4533bb6ceaeff71e8c48d78241a5b77186f15e6f34d36433b
          • Instruction Fuzzy Hash: 88F04F33609214BBC630DF69E981C57B3E9AA04710799081BF708E7A50CA3DFCD0CA6C
          Function 00403C10 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 275libraryloaderCOMMON
          Download Yara Rule
          APIs
          • GetFileAttributesW.KERNEL32(?), ref: 00403D86
          • GetFileAttributesW.KERNEL32(?), ref: 00403DD3
          • GetProcAddress.KERNEL32(?,CreateFruityInstance), ref: 00403EE2
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: AttributesFile$AddressProc
          • String ID: CreateFruityInstance
          • API String ID: 2889150381-2634520518
          • Opcode ID: ac4b3991accd802ed1f897dbbea405be1db5e01a4f39e51f889860a9f754d976
          • Instruction ID: 4cb94eefa489964be5470bc5a27681c6cc97bd475849e9c1abb26d40f1a8a8b6
          • Opcode Fuzzy Hash: ac4b3991accd802ed1f897dbbea405be1db5e01a4f39e51f889860a9f754d976
          • Instruction Fuzzy Hash: C7A14C71D041089ADF14DFA5D985BDEBBB4EF05318F20822AE425B72E1DB786E05CB68
          Function 0040FE8A Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
          Download Yara Rule
          APIs
          • _strpbrk.LIBCMT ref: 0040FED9
          • _free.LIBCMT ref: 0040FFF6
            • Part of subcall function 00409568: IsProcessorFeaturePresent.KERNEL32(00000017,0040953A,00000104,?,004011CD,?,?,00000016,?,?,00409547,00000000,00000000,00000000,00000000,00000000), ref: 0040956A
            • Part of subcall function 00409568: GetCurrentProcess.KERNEL32(C0000417,?,00000104), ref: 0040958C
            • Part of subcall function 00409568: TerminateProcess.KERNEL32(00000000), ref: 00409593
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
          • String ID: *?$.
          • API String ID: 2812119850-3972193922
          • Opcode ID: bff87100e4b3a424b589ec9c99bf957fa28afb8024195e2bb651a676d77b613f
          • Instruction ID: f95015fd76193e3ff05e0ea83e3c7f4acfc1140f61a2042483f636c677eb66de
          • Opcode Fuzzy Hash: bff87100e4b3a424b589ec9c99bf957fa28afb8024195e2bb651a676d77b613f
          • Instruction Fuzzy Hash: A951B272E0020A9FDF24CFA9C841AAEBBB5EF49314F24417BE444E7741D6399E458B54
          Function 004106F9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0040BCDC: GetLastError.KERNEL32(?,?,0040B52C,00420718,0000000C,00405687), ref: 0040BCE0
            • Part of subcall function 0040BCDC: _free.LIBCMT ref: 0040BD13
            • Part of subcall function 0040BCDC: SetLastError.KERNEL32(00000000), ref: 0040BD54
            • Part of subcall function 0040BCDC: _abort.LIBCMT ref: 0040BD5A
            • Part of subcall function 00410818: _abort.LIBCMT ref: 0041084A
            • Part of subcall function 00410818: _free.LIBCMT ref: 0041087E
            • Part of subcall function 0041048D: GetOEMCP.KERNEL32(?,?,00410716,?), ref: 004104B8
          • _free.LIBCMT ref: 00410771
          • _free.LIBCMT ref: 004107A7
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: _free$ErrorLast_abort
          • String ID: `&B$`&B
          • API String ID: 2991157371-3650563656
          • Opcode ID: fac1b13765be351bc9d0e2134d85f0770d243abb3d8c7740635effb4b965b36d
          • Instruction ID: d447fda578f830014105bb406eef1840afa64cc3a1d2e87cdf6ab03ded19286b
          • Opcode Fuzzy Hash: fac1b13765be351bc9d0e2134d85f0770d243abb3d8c7740635effb4b965b36d
          • Instruction Fuzzy Hash: E531C431904208AFDB11EBA5D441BAA77E4EF40324F2540AFE5145B2D1DBBA6DC1CF98
          Function 004121E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: ___ascii_strnicmp
          • String ID: Xj0f$Xj0fXj0f$Xj0fXj0f
          • API String ID: 3984708054-1644434381
          • Opcode ID: 9c5dc562fba9917c8c7211f385c91a6b1c73e595385efbeafbd1c0d75a000957
          • Instruction ID: d7097994bc3e0269988b6d4e98b3fd8540440a6ed4919cd59008b0db0148b1b9
          • Opcode Fuzzy Hash: 9c5dc562fba9917c8c7211f385c91a6b1c73e595385efbeafbd1c0d75a000957
          • Instruction Fuzzy Hash: 86110831900155AFCF259EA9C945BFF7764AB00354F1802EAEC24A7286E7B85DA0C7A5
          Function 00402820 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26COMMON
          Download Yara Rule
          APIs
          • std::_Xinvalid_argument.LIBCPMT ref: 00402918
          • std::_Xinvalid_argument.LIBCPMT ref: 00402922
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: Xinvalid_argumentstd::_
          • String ID: invalid string position$string too long
          • API String ID: 909987262-4289949731
          • Opcode ID: c64b15007395dea2f36aca86ee3c211cfd551fdf6133d12655906c35363bfebf
          • Instruction ID: 984dc0c0b2cd398f35e6645f1bc5f04e18c9dbf1703626bb7c3d1d18387ae337
          • Opcode Fuzzy Hash: c64b15007395dea2f36aca86ee3c211cfd551fdf6133d12655906c35363bfebf
          • Instruction Fuzzy Hash: C6D05B7434030CB78A046997DCC2C85725C5E4D750720043BBF14E71C685B89E84416E
          Function 00408A0D Relevance: 6.2, APIs: 4, Instructions: 174pipeCOMMON
          Download Yara Rule
          APIs
          • GetFileType.KERNEL32(?,?,00000000,00000000), ref: 00408A32
            • Part of subcall function 00408DB7: __dosmaperr.LIBCMT ref: 00408DFA
          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040893B), ref: 00408B5D
          • __dosmaperr.LIBCMT ref: 00408B64
          • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00408BA1
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: __dosmaperr$ErrorFileLastNamedPeekPipeType
          • String ID:
          • API String ID: 3955570002-0
          • Opcode ID: 4e17df2c825c0cc79ffa86c79776fe878e0bb5644ae6caaa7de0a9e25d9e925e
          • Instruction ID: a909cdaeb501b666b60ba36f2f7d5ecf36db804fe9db59e3ae2361878b55f0a5
          • Opcode Fuzzy Hash: 4e17df2c825c0cc79ffa86c79776fe878e0bb5644ae6caaa7de0a9e25d9e925e
          • Instruction Fuzzy Hash: 7751A5B29006089FDB14DFB5CD41AAFB7F9EF48314B14493EF595E32A0DB38A8418B54
          Function 00401EE0 Relevance: 6.1, APIs: 4, Instructions: 117COMMON
          Download Yara Rule
          APIs
          • Concurrency::cancel_current_task.LIBCPMT ref: 00401F64
            • Part of subcall function 0040546F: __CxxThrowException@8.LIBVCRUNTIME ref: 00405486
          • Concurrency::cancel_current_task.LIBCPMT ref: 00401F79
          • new.LIBCMT ref: 00401F7F
          • new.LIBCMT ref: 00401F93
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: Concurrency::cancel_current_task$Exception@8Throw
          • String ID:
          • API String ID: 3339364867-0
          • Opcode ID: b30e87919e1801eb3aa18b99a79989427a97fc347df8e849dbd210b43705568c
          • Instruction ID: bbac019b23ec9bba76f5c1b94f47a20e7e4d8badd3f71ac4ad78f24a1a322c6f
          • Opcode Fuzzy Hash: b30e87919e1801eb3aa18b99a79989427a97fc347df8e849dbd210b43705568c
          • Instruction Fuzzy Hash: 5741D271A006029BC724DF29D981A2AB7E9EB45354B10063FE456E73E0E778E905C76A
          Function 0040F151 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
          Download Yara Rule
          APIs
          • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000,?,?,?,004095C4,00000001,?,?,00000001,?,004096F7), ref: 0040F19E
          • MultiByteToWideChar.KERNEL32(?,00000001,?,00000001,00000000,00000001,?,?,?,004095C4,00000001,?,?,00000001,?,004096F7), ref: 0040F227
          • GetStringTypeW.KERNEL32(?,00000000,00000000,004095C4,?,?,?,004095C4,00000001,?,?,00000001,?,004096F7,?,00000001), ref: 0040F239
          • __freea.LIBCMT ref: 0040F242
            • Part of subcall function 00409B44: HeapAlloc.KERNEL32(00000000,?,?,?,004071B5,?,?,?,?,?,0040232D,00404584,?,?,00404584), ref: 00409B76
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: ByteCharMultiWide$AllocHeapStringType__freea
          • String ID:
          • API String ID: 573072132-0
          • Opcode ID: 77f54d69b030fc0044ea9aa385975c4f8fe243b4312b8d35308b85528f3bfee1
          • Instruction ID: 512b04379e6a838b32722feee948c7acc3d8876ca6f5dddda010fddc36e9784c
          • Opcode Fuzzy Hash: 77f54d69b030fc0044ea9aa385975c4f8fe243b4312b8d35308b85528f3bfee1
          • Instruction Fuzzy Hash: C431CE32A0020AABDB259FA5CC45EEF7BA5EB40314B04417EEC04E6291E739DC94CB94
          Function 00408BC9 Relevance: 6.1, APIs: 4, Instructions: 65timeCOMMON
          Download Yara Rule
          APIs
          • FileTimeToSystemTime.KERNEL32(00000000,?,?,?,00000000,00000000,000000FF,?,?,00000000), ref: 00408BF7
          • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00408C0B
          • GetLastError.KERNEL32 ref: 00408C53
          • __dosmaperr.LIBCMT ref: 00408C5A
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: Time$System$ErrorFileLastLocalSpecific__dosmaperr
          • String ID:
          • API String ID: 593088924-0
          • Opcode ID: 66ba25885fa02358f6a7470c051f6b3c8e8451d13ea520a3d931c7a08a5a69d3
          • Instruction ID: 8bb1349c06974e399ddb389eb7fbc4732d969f13515852d7df73d17925f9181a
          • Opcode Fuzzy Hash: 66ba25885fa02358f6a7470c051f6b3c8e8451d13ea520a3d931c7a08a5a69d3
          • Instruction Fuzzy Hash: 2B21DE7290510CAFDB10DFA1C985ADF77BCAB48310F50427AE516E61D0EF38EA458B65
          Function 0040ABCB Relevance: 6.1, APIs: 4, Instructions: 63COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 7ee55be628356674c7006fafc0f87ded411dfc50adabf559d6154b96a4732128
          • Instruction ID: 5e43adfb19449af6642c75d7455ad3a127005c9fc59d7de8b8feeff0835e8e3f
          • Opcode Fuzzy Hash: 7ee55be628356674c7006fafc0f87ded411dfc50adabf559d6154b96a4732128
          • Instruction Fuzzy Hash: 5B01BCB220931A7EF6301A786CC1E6B725DDB503B8B21033BB621612C4DA7C8C21916A
          Function 0040C4D7 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0040C47E,?,00000000,00000000,00000000,?,0040C6EF,00000006,FlsSetValue), ref: 0040C509
          • GetLastError.KERNEL32(?,0040C47E,?,00000000,00000000,00000000,?,0040C6EF,00000006,FlsSetValue,00419F20,00419F28,00000000,00000364,?,0040BDAE), ref: 0040C515
          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0040C47E,?,00000000,00000000,00000000,?,0040C6EF,00000006,FlsSetValue,00419F20,00419F28,00000000), ref: 0040C523
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: LibraryLoad$ErrorLast
          • String ID:
          • API String ID: 3177248105-0
          • Opcode ID: 65987c33a4870a61ec0d88cfa2783c5b4bcde42e3c776262c33830971a0c1e51
          • Instruction ID: 6380d94804746b704030005758720c13e73b28941d8c184123fdba221520e63c
          • Opcode Fuzzy Hash: 65987c33a4870a61ec0d88cfa2783c5b4bcde42e3c776262c33830971a0c1e51
          • Instruction Fuzzy Hash: F801FC36611632FBC7214BADAC84AA73BA8AF497A17114731F905F72C0D734F901C6E8
          Function 00402230 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: ac2c024898f4b245a35f12b7cce9795117e1af5b522237a5aa5cd6410490a6cb
          • Instruction ID: 599de7a54721eb8155e436ef4736af534507c2350c8ac348b7faf381059bf985
          • Opcode Fuzzy Hash: ac2c024898f4b245a35f12b7cce9795117e1af5b522237a5aa5cd6410490a6cb
          • Instruction Fuzzy Hash: 7DF027F36042041BD708E3B4A917E6F32888B74318704023FF61AE26C1F539D864855E
          Function 00408128 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
          Download Yara Rule
          APIs
          • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00408128
          • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0040812D
          • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00408132
            • Part of subcall function 004084E9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004084FA
          • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00408147
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
          • String ID:
          • API String ID: 1761009282-0
          • Opcode ID: 4620ded051c162a4ab368f0813539878333b42ab7183a8981c68f5926920f08c
          • Instruction ID: 0feefd6e7a9dcf97134fbbcdd833eb7569e1ded764c4512838079dcd10bc9bae
          • Opcode Fuzzy Hash: 4620ded051c162a4ab368f0813539878333b42ab7183a8981c68f5926920f08c
          • Instruction Fuzzy Hash: 31C0027401461360DC503A721B421AA17402D623DDBD020BFE8C53A5C37D3D040B512F
          Function 00409D2D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
          Download Yara Rule
          APIs
          • __startOneArgErrorHandling.LIBCMT ref: 00409DBD
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: ErrorHandling__start
          • String ID: pow
          • API String ID: 3213639722-2276729525
          • Opcode ID: 89aae3a5647528a4d97b6ae6a42fabe9c956c69cb8fa3c9ac7f938d036d1b9a1
          • Instruction ID: 3eabbc112abf6287ad78030cf2cf251621e1beafa91c7b8843af6e1d8866db47
          • Opcode Fuzzy Hash: 89aae3a5647528a4d97b6ae6a42fabe9c956c69cb8fa3c9ac7f938d036d1b9a1
          • Instruction Fuzzy Hash: FD516D61A0910696DB117716C9413BB37A49F50701F208D7BF0D5623EAEB3D8CF5968F
          Function 00402DF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147COMMON
          Download Yara Rule
          APIs
          • std::_Xinvalid_argument.LIBCPMT ref: 00402F25
          • std::_Xinvalid_argument.LIBCPMT ref: 00402F2F
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: Xinvalid_argumentstd::_
          • String ID: string too long
          • API String ID: 909987262-2556327735
          • Opcode ID: a904f873c3e27bc27a61258efc716a507fefc5f3dd25c960804420f830d219cd
          • Instruction ID: 85cd45213759bfd326ecc2e2a8360a1ab255e1e451396078c8cea420fa8a3e1a
          • Opcode Fuzzy Hash: a904f873c3e27bc27a61258efc716a507fefc5f3dd25c960804420f830d219cd
          • Instruction Fuzzy Hash: 2141E4313442008BC724DE58EA88927B3EAEB957113200A3FE542EB6D0DBB4EC05D7ED
          Function 004026F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID:
          • String ID: string too long
          • API String ID: 0-2556327735
          • Opcode ID: 487aea21fec2e29eb2f7db7b9444a1c668b841a6d5bd1c0b54d7b458f09e6a87
          • Instruction ID: 6718b6c2107a5b23a342d503e1025e29147def940efdb10f1ca3366c28115f34
          • Opcode Fuzzy Hash: 487aea21fec2e29eb2f7db7b9444a1c668b841a6d5bd1c0b54d7b458f09e6a87
          • Instruction Fuzzy Hash: 8031D3363046008BCB349E5DEAC886BB3A9FF95711320453FE542E76D0D7B5A849C7AD
          Function 00401B40 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
          Download Yara Rule
          APIs
          • std::_Xinvalid_argument.LIBCPMT ref: 00401C5B
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: Xinvalid_argumentstd::_
          • String ID: invalid string position$string too long
          • API String ID: 909987262-4289949731
          • Opcode ID: 0b8ab227b915edf27cfca804e795f54def291a07adb0b180a46c7435900354b4
          • Instruction ID: 4350cead44ed5ab31cb3f3d539257fd7a892b7d14c681f0375fd391c803237d8
          • Opcode Fuzzy Hash: 0b8ab227b915edf27cfca804e795f54def291a07adb0b180a46c7435900354b4
          • Instruction Fuzzy Hash: 2E3105323043108BD7249E5DE880B57F7E9EB95761F10093FE6559B2D2D7B6E840C3A9
          Function 00401820 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON
          Download Yara Rule
          APIs
          • std::_Xinvalid_argument.LIBCPMT ref: 00401935
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: Xinvalid_argumentstd::_
          • String ID: invalid string position$string too long
          • API String ID: 909987262-4289949731
          • Opcode ID: 9f2a7bfef2e2428048f2067e4509eecec52f7da7a1d745b31c79f9ad309d4b66
          • Instruction ID: b5c334c06d014f47bfb49e50dd55c9dee9af8ba5bc1378df0b1d42719fed28af
          • Opcode Fuzzy Hash: 9f2a7bfef2e2428048f2067e4509eecec52f7da7a1d745b31c79f9ad309d4b66
          • Instruction Fuzzy Hash: 9331CD33304314DBC724AE69E88085BF3E9EFD8B51320493FE546D72A0DB35AA54C7A9
          Function 00404B16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00404B5A
          • ___raise_securityfailure.LIBCMT ref: 00404C41
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: FeaturePresentProcessor___raise_securityfailure
          • String ID: H,B
          • API String ID: 3761405300-539709048
          • Opcode ID: b4c04d99618068d419dedac5404ebb96b96e4fa82eb6cc16d85986644676f1a2
          • Instruction ID: 052c40b602ece88b5a8612764514d0a3388197a280e22c9e4c4cddb85fbb46e9
          • Opcode Fuzzy Hash: b4c04d99618068d419dedac5404ebb96b96e4fa82eb6cc16d85986644676f1a2
          • Instruction Fuzzy Hash: 7121C3B4660204AAD324CF19EE817557BA4AB48350FD0453AEA089A6B1D7F49593CF4D
          Function 00410818 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0040BCDC: GetLastError.KERNEL32(?,?,0040B52C,00420718,0000000C,00405687), ref: 0040BCE0
            • Part of subcall function 0040BCDC: _free.LIBCMT ref: 0040BD13
            • Part of subcall function 0040BCDC: SetLastError.KERNEL32(00000000), ref: 0040BD54
            • Part of subcall function 0040BCDC: _abort.LIBCMT ref: 0040BD5A
          • _abort.LIBCMT ref: 0041084A
          • _free.LIBCMT ref: 0041087E
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2609071452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2609050721.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609093715.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609113824.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609134136.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609153855.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2609185707.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd
          Similarity
          • API ID: ErrorLast_abort_free
          • String ID: `&B
          • API String ID: 289325740-3969561002
          • Opcode ID: 9d07433f83eae26126034b1a6cfac5b4998af9a3d26eff3265eea34d38613e45
          • Instruction ID: 4e49ab1c499d57525365d9bc9404fddb8aab5f4ad752d3df6904e89dc88b9448
          • Opcode Fuzzy Hash: 9d07433f83eae26126034b1a6cfac5b4998af9a3d26eff3265eea34d38613e45
          • Instruction Fuzzy Hash: FA015E32E05625EBC735BF59850169AB760BF04750B15422FE85463781CBBC69D28FCE